View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0009348||administration||operations||public||2015-09-01 12:28||2018-10-31 13:56|
|Target Version||Fixed in Version|
|Summary||0009348: mail.centos.org does not negotiate TLS with STARTTLS capable mail servers|
|Description||In its current configuration, 'mail.centos.org' does not negotiate a TLS connection but always uses plain text, even for destinations that support STARTTLS, like Gmail and Hotmail. This means that information is transferred in the clear while robust transport encryption is available.|
Note: This is purely for OUTGOING mail, which, unlike incoming mail, does not require setting up certificates and the like. SMTP client (smtp) and SMTP server (smtpd) in Postfix each have separate settings.
|Steps To Reproduce||The default Postfix configuration does not enable this;|
$ sudo postconf -d | grep smtp_tls_security_level
So it needs to be explicitly enabled, with 'smtp_tls_security_level = may'. The following is from a CentOS 6 box we have;
$ sudo postconf -n | grep smtp_tls_
smtp_tls_loglevel = 1
smtp_tls_security_level = may
This should be all that is required to enable TLS for outgoing mail.
|Additional Information||avij said the following on #centos-devel, which might be relevant;|
"as far as my Postfix on C7 is concerned, I also needed to add smtp_tls_session_cache_database=btree:/var/lib/postfix/smtp_scache and smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt to the default config, in addition to that smtp_tls_security_level = may"
It's not necessary on our CentOS 6 box, and it should not be required by default, but who knows ... test and see!
Acknowledged. I'll work on some testing, as current MX nodes are running CentOS 6 and 5 (so postfix-2.6.6-6.el6_5.x86_64 and postfix-2.3.3-7.el5)
Thanks for the pointers
The 'smtp_tls_loglevel = 1' setting is not strictly necessary, but rather useful, as it will show the negotiated cipher, any errors in negotiating TLS connections, and so on.
Higher than 1 is not recommended, that's only needed for debugging deeper problems than the day-to-day care and feeding.
Implemented today, on both mail.centos.org and mail2.centos.org (both for incoming and outgoing mails)
Closing now that RFE. (Thanks for the ticket and pointers)
pushed through puppet and applied.
verified through maillog that it works for both incoming and outgoing mails.
|2015-09-01 12:28||sindarina||New Issue|
|2015-09-01 12:34||arrfab||Note Added: 0024080|
|2015-09-01 12:34||arrfab||Status||new => acknowledged|
|2015-09-01 12:34||sindarina||Note Added: 0024081|
|2015-09-01 23:02||Nomii||Issue cloned: 0009352|
|2015-09-02 12:40||arrfab||Note Added: 0024252|
|2015-09-02 12:40||arrfab||Note Added: 0024253|
|2015-09-02 12:40||arrfab||Status||acknowledged => resolved|
|2015-09-02 12:40||arrfab||Resolution||open => fixed|
|2018-10-31 13:56||toursoption||Tag Attached: turkey.toursoption.com|