Accept mail with TLS, relay internal without

carsten2

Member
Mar 25, 2017
61
3
8
50
When TLS is not activated, mail is not received my the mail gateway encrypted, only unencrypted.
Whtn TLS is activated, mail can be received encrypted but, it tries to relay to internal mail server also with TLS, and when this failed it delays the mail 5-10 minutes. I tried to force unencrypted internal relay by adding the domain under TLS-policy tab with policy "none", but this doesn't change anything.
 
Most likely your internal mail server is misconfigured. Postfix will only try to use TLS if the remote end announces it support it. So it looks like your internal email server says : "Hey, I support TLS", but don't "work" when TLS is used (hard to tell more without logs)
 

carsten2

Member
Mar 25, 2017
61
3
8
50
Yes, the backend server supports TLS. I checked with https://www.wormly.com/test-smtp-server (without mail gateway in the middle) and it worked fine. But when I put mail gateway in the middle I get an error also in syslog:

Apr 2 18:05:46 zzzz postfix/smtp[16908]: SSL_connect error to yyyy:7100: lost connection
Apr 2 18:05:46 zzzz postfix/smtp[16908]: B52008141: to=<yyyy>, relay=xxxxx, delay=0.09, delays=0.05/0.03/0.01/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Also I tried to deactivate TLS for the domain with the TLS policy (setting it to "none"), but this doesn't work either.

What is wrong or where can I get more details?
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
2,002
198
63
I guess that the problem here is that the tls_policy uses the 'domain' name only when it relays the mail via it's default transport (doing mx-lookups, and a-lookups) - if you want to set a policy for a server, which you have defined as transport/relayhost you need to enter it manually in the '/etc/pmg/tls_policy' file (with the same syntax it has in '/etc/pmg/transport') (and run `postmap /etc/pmg/tls_policy`) afterwards.

See the bug-report for this:
https://bugzilla.proxmox.com/show_bug.cgi?id=1948

Postfix' reference documentation is also quite helpful for this topic:
http://www.postfix.org/TLS_README.html#client_tls_policy
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!