View Issue Details

IDProjectCategoryView StatusLast Update
0009348administrationoperationspublic2018-10-31 13:56
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version 
Summary0009348: does not negotiate TLS with STARTTLS capable mail servers
DescriptionIn its current configuration, '' does not negotiate a TLS connection but always uses plain text, even for destinations that support STARTTLS, like Gmail and Hotmail. This means that information is transferred in the clear while robust transport encryption is available.

Note: This is purely for OUTGOING mail, which, unlike incoming mail, does not require setting up certificates and the like. SMTP client (smtp) and SMTP server (smtpd) in Postfix each have separate settings.
Steps To ReproduceThe default Postfix configuration does not enable this;

$ sudo postconf -d | grep smtp_tls_security_level
smtp_tls_security_level =

So it needs to be explicitly enabled, with 'smtp_tls_security_level = may'. The following is from a CentOS 6 box we have;

$ sudo postconf -n | grep smtp_tls_
smtp_tls_loglevel = 1
smtp_tls_security_level = may

This should be all that is required to enable TLS for outgoing mail.
Additional Informationavij said the following on #centos-devel, which might be relevant;

"as far as my Postfix on C7 is concerned, I also needed to add smtp_tls_session_cache_database=btree:/var/lib/postfix/smtp_scache and smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt to the default config, in addition to that smtp_tls_security_level = may"

It's not necessary on our CentOS 6 box, and it should not be required by default, but who knows ... test and see!




2015-09-01 12:34

administrator   ~0024080

Acknowledged. I'll work on some testing, as current MX nodes are running CentOS 6 and 5 (so postfix-2.6.6-6.el6_5.x86_64 and postfix-2.3.3-7.el5)
Thanks for the pointers


2015-09-01 12:34

reporter   ~0024081

The 'smtp_tls_loglevel = 1' setting is not strictly necessary, but rather useful, as it will show the negotiated cipher, any errors in negotiating TLS connections, and so on.

Higher than 1 is not recommended, that's only needed for debugging deeper problems than the day-to-day care and feeding.


2015-09-02 12:40

administrator   ~0024252

Implemented today, on both and (both for incoming and outgoing mails)
Closing now that RFE. (Thanks for the ticket and pointers)


2015-09-02 12:40

administrator   ~0024253

pushed through puppet and applied.
verified through maillog that it works for both incoming and outgoing mails.

Issue History

Date Modified Username Field Change
2015-09-01 12:28 sindarina New Issue
2015-09-01 12:34 arrfab Note Added: 0024080
2015-09-01 12:34 arrfab Status new => acknowledged
2015-09-01 12:34 sindarina Note Added: 0024081
2015-09-01 23:02 Nomii Issue cloned: 0009352
2015-09-02 12:40 arrfab Note Added: 0024252
2015-09-02 12:40 arrfab Note Added: 0024253
2015-09-02 12:40 arrfab Status acknowledged => resolved
2015-09-02 12:40 arrfab Resolution open => fixed
2018-10-31 13:56 toursoption Tag Attached: