Accept mail with TLS, relay internal without

carsten2

Well-Known Member
Mar 25, 2017
249
20
58
55
When TLS is not activated, mail is not received my the mail gateway encrypted, only unencrypted.
Whtn TLS is activated, mail can be received encrypted but, it tries to relay to internal mail server also with TLS, and when this failed it delays the mail 5-10 minutes. I tried to force unencrypted internal relay by adding the domain under TLS-policy tab with policy "none", but this doesn't change anything.
 
Most likely your internal mail server is misconfigured. Postfix will only try to use TLS if the remote end announces it support it. So it looks like your internal email server says : "Hey, I support TLS", but don't "work" when TLS is used (hard to tell more without logs)
 
Yes, the backend server supports TLS. I checked with https://www.wormly.com/test-smtp-server (without mail gateway in the middle) and it worked fine. But when I put mail gateway in the middle I get an error also in syslog:

Apr 2 18:05:46 zzzz postfix/smtp[16908]: SSL_connect error to yyyy:7100: lost connection
Apr 2 18:05:46 zzzz postfix/smtp[16908]: B52008141: to=<yyyy>, relay=xxxxx, delay=0.09, delays=0.05/0.03/0.01/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Also I tried to deactivate TLS for the domain with the TLS policy (setting it to "none"), but this doesn't work either.

What is wrong or where can I get more details?
 
Well, I'd say the backend advertises tls support, but without implementing it correctly. Any chance you could just disable TLS on the backend ?
 
I guess that the problem here is that the tls_policy uses the 'domain' name only when it relays the mail via it's default transport (doing mx-lookups, and a-lookups) - if you want to set a policy for a server, which you have defined as transport/relayhost you need to enter it manually in the '/etc/pmg/tls_policy' file (with the same syntax it has in '/etc/pmg/transport') (and run `postmap /etc/pmg/tls_policy`) afterwards.

See the bug-report for this:
https://bugzilla.proxmox.com/show_bug.cgi?id=1948

Postfix' reference documentation is also quite helpful for this topic:
http://www.postfix.org/TLS_README.html#client_tls_policy
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!