Accept mail with TLS, relay internal without

carsten2

Renowned Member
Mar 25, 2017
277
30
68
56
When TLS is not activated, mail is not received my the mail gateway encrypted, only unencrypted.
Whtn TLS is activated, mail can be received encrypted but, it tries to relay to internal mail server also with TLS, and when this failed it delays the mail 5-10 minutes. I tried to force unencrypted internal relay by adding the domain under TLS-policy tab with policy "none", but this doesn't change anything.
 
Most likely your internal mail server is misconfigured. Postfix will only try to use TLS if the remote end announces it support it. So it looks like your internal email server says : "Hey, I support TLS", but don't "work" when TLS is used (hard to tell more without logs)
 
Yes, the backend server supports TLS. I checked with https://www.wormly.com/test-smtp-server (without mail gateway in the middle) and it worked fine. But when I put mail gateway in the middle I get an error also in syslog:

Apr 2 18:05:46 zzzz postfix/smtp[16908]: SSL_connect error to yyyy:7100: lost connection
Apr 2 18:05:46 zzzz postfix/smtp[16908]: B52008141: to=<yyyy>, relay=xxxxx, delay=0.09, delays=0.05/0.03/0.01/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Also I tried to deactivate TLS for the domain with the TLS policy (setting it to "none"), but this doesn't work either.

What is wrong or where can I get more details?
 
Well, I'd say the backend advertises tls support, but without implementing it correctly. Any chance you could just disable TLS on the backend ?
 
I guess that the problem here is that the tls_policy uses the 'domain' name only when it relays the mail via it's default transport (doing mx-lookups, and a-lookups) - if you want to set a policy for a server, which you have defined as transport/relayhost you need to enter it manually in the '/etc/pmg/tls_policy' file (with the same syntax it has in '/etc/pmg/transport') (and run `postmap /etc/pmg/tls_policy`) afterwards.

See the bug-report for this:
https://bugzilla.proxmox.com/show_bug.cgi?id=1948

Postfix' reference documentation is also quite helpful for this topic:
http://www.postfix.org/TLS_README.html#client_tls_policy