Google's gmail and tls policy

fasttech · 2019-02-06 01:00:21 UTC

NethServer Version: 7.6.1810 final
Module: postfix

I tried every one of our available tls policies… and verified each changed in main.cf, each policy still causes hate with google.
Feb 5 17:53:44 server9b postfix/smtp[28379]: Untrusted TLS connection established to alt1.gmail-smtp-in.l.google.com[173.194.197.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Lowest policy in main.cf.
# TLS for smtp
#

# SMTP
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_cert_file = /etc/postfix/postfix.crt
smtp_tls_key_file = /etc/postfix/postfix.key

# Force cipher 2018-03-30
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers=high

fasttech · 2019-02-06 01:04:36 UTC

Curiously though, when I set policy to 10-2018 postfix says 6-2018, I read the docs and I see it states that 10-2018 only applies to ejabber but still…

#
# TLS
# cipher selection 2018-06-21 (RSA and ECC certificate)
#

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:kEDH:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_exclude_ciphers=aNULL:eNULL:LOW:3DES:MD5:EXP:PSK:DSS:RC4:SEED:IDEA

tls_preempt_cipherlist = yes

davidep · 2019-02-06 07:23:42 UTC

Do you have a self-signed certificate?

fasttech · 2019-02-06 15:45:05 UTC

Letsencrypt, generated by the ui post upgrade.