Criptografia de TLS do Postfix para email de saída

3

Este é o meu arquivo de configuração post.cnf do postfix

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_sasl_security_options = noanonymous
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = yes
smtp_tls_ciphers = export
smtp_tls_security_level = encrypt

smtp_tls_note_starttls_offer = yes
smtpd_tls_cert_file=/etc/ssl/certs/smtpd.crt
smtpd_tls_key_file=/etc/ssl/private/smtpd.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
myhostname = 4051.localdomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, 4051.localdomain, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

Estou tentando enviar um e-mail e este é o erro:

Aug 23 15:23:08 4051 postfix/qmgr[31284]: 7BC223100C2D: from=<[email protected]>, size=931, nrcpt=1 (queue active)
Aug 23 15:23:08 4051 postfix/smtp[31344]: 7BC223100C2D: TLS is required, but was not offered by host gmail-smtp-in.l.google.com[74.125.195.27]
Aug 23 15:23:09 4051 postfix/smtp[31344]: 7BC223100C2D: TLS is required, but was not offered by host alt1.gmail-smtp-in.l.google.com[173.194.221.26]
Aug 23 15:23:10 4051 postfix/smtp[31344]: 7BC223100C2D: TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.68.26]
Aug 23 15:23:11 4051 postfix/smtp[31344]: 7BC223100C2D: TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[64.233.189.26]
Aug 23 15:23:13 4051 postfix/smtp[31344]: 7BC223100C2D: to=<[email protected]>, relay=alt4.gmail-smtp-in.l.google.com[173.194.72.26]:25, delay=487, delays=482/0.04/4.4/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host alt4.gmail-smtp-in.l.google.com[173.194.72.26])

Tenho certeza de que o Gmail suporta e-mails criptografados, então qual é a possível causa do problema?

    
por Gotenks 23.08.2016 / 17:26

1 resposta

1

Para o Cisco IOS Firewalls:

Graças ao comentário de Stephen Harris, acima, citado aqui:

If you don't see STARTTLS in the telnet output then nothing you can do on postfix will get TLS working. You have a lower level dataflow problem.

Estou por trás de um Cisco 2851 com o Cisco IOS v 15.1. A solução para mim foi corrigir o filtro de inspeção esmtp. Leia: Inspeção e Controle de Aplicativos para SMTP . Por exemplo, substituiu o comando EHLO 250-STARTTLS por XXX's: 250-XXXXXXXX .

show running-config na linha de comando do roteador revelou uma lista de filtros ativos, incluindo esmtp:

ip inspect name APPWIZ http
ip inspect name APPWIZ https
ip inspect name APPWIZ tcp
ip inspect name APPWIZ udp
ip inspect name APPWIZ sip
ip inspect name APPWIZ pop3
ip inspect name APPWIZ imap
ip inspect name APPWIZ icmp
ip inspect name APPWIZ ftp
ip inspect name APPWIZ dns
ip inspect name APPWIZ esmtp

A solução imediata para mim foi desativar a inspeção esmtp (até que eu possa configurá-lo adequadamente) da seguinte forma:

configure terminal
no ip inspect name APPWIZ esmtp
exit
write memory

Você precisará substituir APPWIZ pelo nome do seu mapa de classes de inspeção.

    
por 09.08.2017 / 16:11