Postfix STARTTLS only on port 25
SMTPS means SMTP over TLS, like with HTTPS. So first a TLS connection is established (without fallback), and then SMTP is started. Just as nobody expects HTTPS on the HTTP-Port 80, you should not expect that anybody who connects to your SMTP-service sends TLS requests. Thus, all connections to your server on port 25 will likely fail, if you enforce TLS!
STARTTLS makes encryption optional. First, a normal, unencrypted SMTP-connection is established and then the Server announces it can upgrade to STARTTLS (using a so called SMTP extension). If the server also supports STARTTLS (and it is enabled for usage), the the client requests the upgrade to TLS.
SMTPS (SMTP over TLS) is enabled in Postfix via smtpd_tls_wrappermode=yes, you set that for the smtp service, thus on port 25. As written above, this is not recommended.
I want to cite parts of Bettercrypto's paper Applied Crypto Hardening on this issue for both master.cf and main.cf. You may also consult it, as you probably have some settings in your main.cf that are hindering proper setup of TLS usage.
main.cf:
# enable opportunistic TLS support in the SMTP server and client
smtpd_tls_security_level = may
smtp_tls_security_level = may
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
master.cf:
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
We don't set anything new for TLS on port 25, as the defaults in main.cf are all we need.
Related videos on Youtube
18 : 24
01 : 38
17 : 45
02 : 45
32 : 59
JohnnyFromBF
Updated on September 18, 2022Comments
-
JohnnyFromBF almost 2 years
I want to enable STARTTLS on port 25, but for unknown reasons it only works on port 465.
master.cf:
smtp inet n - - - - smtpd -o syslog_name=postfix/smtp -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy #submission inet n - - - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=no # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATINGmain.cf:
smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_restrictions = permit_mynetworks, reject_unknown_client smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname smtpd_recipient_limit = 25 smtpd_tls_CAfile = /root/chain.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /root/cert.pem smtpd_tls_key_file = /root/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_prng_update_period = 3600s tls_random_source = dev:/dev/urandomNow when I try to check the certificate with
openssl s_client -connect hostname:25I get this error:CONNECTED(00000003) write:errno=104 no peer certificate available No client certificate CA names sent SSL handshake has read 0 bytes and written 308 bytesOn port 465 everything works fine, so the certificate and CA chain is correct.
Log says:
postfix/smtp/smtpd[2623]: SSL_accept error postfix/smtp/smtpd[2623]: warning: TLS library problem: 2623:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:Help is highly appreciated!
-
masegaloeh over 9 yearsIn your master.cf,smtpsline a.k.a port 465 is commented. How can be postfix listening in port 465? -
JohnnyFromBF over 9 yearsI tried the same config on port 465 and it worked perfectly, thus I know it can't be the cert or CA chain.
-
masegaloeh over 9 yearsAh, I see... Actually with
smtpd_tls_wrappermode=yesyou doesn't enable STARTTLS, but SMTPS instead. Anyway what's the output of openssl and postfix logs entry when you connect to port 465? -
JohnnyFromBF over 9 yearsTurns out this is perfectly normal and the config seems okay since I get this openssl error message with every TLS supporting MX listening on port 25. Guess I misunderstood how STARTTLS works.
-
basic6 almost 9 yearsSMTPS (typically over port 465, deprecated) is not STARTTLS (typically over port 587), these are two different things. SMTPS requires a dedicated port, STARTTLS could be used on port 25 as an option.
-
-
JohnnyFromBF over 9 yearsYeah but why does a professional hoster like hosteurope.de have an MX that receives mail only on port 25, but supports TLS as you can check here when typing in [email protected]? I guess because it relays mails to some postfix server behind it but all that happens only on port 25, you can nmap the MX, there's only port 25 open.
-
sebix over 9 yearsmx0.hosteurope.de doesn't use STMPS, but STARTTLS. You can test it by using
openssl s_client -connect mx0.hosteurope.de:25, this fails, buttelnet mx0.hosteurope.de 25succeeds. -
JohnnyFromBF over 9 yearsYes and that's exactly what I want.
-
sebix over 9 yearsAnd that's exactly what my answer does. If you have problems or questions, please describe them, including expected and observed behavior. Or give the hostname, so we can look into it, what's supported currently. (It facing the public internet anyway)
