Email deliverability fails to protonmail.com

GNU-Plus-Windows-User commented 1 year ago

Describe the bug I've installed postfix-mta-sts-resolver on my iRedMail email server but email deliverability fails when I send an email to ProtonMail, however I can send emails with a verified TLS connection to Gmail and Outlook. I tried to install via pip and snap but both versions don't work, /etc/mta-sts-daemon.yml is missing, no systemd service is created and nothing is listening on port 8461 in both cases so I'm not sure if this is an issue with my installation method or an actual bug.

To Reproduce Steps to reproduce the behavior:

Install via apt sudo apt install postfix-mta-sts-resolver on Ubuntu 22.04 with iRedMail
Add smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix into postfix main.cf
Use postfix-mta-sts-resolver config provided below
Send an email to protonmail

postfix-mta-sts-resolver config

host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
cache:
  type: internal
  options:
    cache_size: 10000
default_zone:
  strict_testing: false
  timeout: 20
proactive_policy_fetching:
  enabled: true

Expected behavior I should be able to send emails to protonmail no problem, according to hardenize mta-sts is setup correctly for protonmail.com.

Output listings

Logs

May 26 22:06:22 mail postfix/smtp[80090]: CA certificate verification failed for mail.protonmail.ch[176.119.200.128]:25: num=2:unable to get issuer certificate
May 26 22:06:22 mail postfix/smtp[80090]: Untrusted TLS connection established to mail.protonmail.ch[176.119.200.128]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
May 26 22:06:22 mail postfix/smtp[80090]: 4QSNgT0FWpz9wJP: Server certificate not verified

mta-sts-query domain protonmail.com

(<STSFetchResult.NONE: 0>, None)

Environment (please complete the following information):

OS: [Ubuntu 22.04]
Python version: [Unknown]

Snawoot commented 1 year ago

Hello!

postfix-mta-sts-resolver provides only policy to instruct postfix to validate certificates for specific domains strictly. Log messages you posted indicate that postfix wasn't able to confirm that certificate was issued by actual trusted CA.

Possible reasons are:

Postfix is not configured to use system CA certificates (see https://github.com/Snawoot/postfix-mta-sts-resolver#postfix-configuration)
Actual MITM is happening. You can check certificates and TLS connection using this command: openssl s_client -verify_return_error -starttls smtp -connect mail.protonmail.ch:25 -showcerts

GNU-Plus-Windows-User commented 1 year ago

@Snawoot My smtp_tls_ca is configured like so

smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = $smtpd_tls_CAfile

As mentioned earlier I can send emails to outlook and gmail just fine but not with ProtonMail, if this was misconfigured then I'm not sure why it works fine with gmail and outlook as they both have a mta-sts policy.

I've ran the openssl command you gave and the certificate is correct.

Snawoot commented 1 year ago

@GNU-Plus-Windows-User Right, I missed that fact it already works with outlook. What is your Postfix version? Could you also post full output of that openssl command?

GNU-Plus-Windows-User commented 1 year ago

@Snawoot I have 3.6.4 installed for postfix

the output of the ssl command is

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = protonmail.com
verify return:1
---
Certificate chain
 0 s:CN = protonmail.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr  3 15:43:32 2023 GMT; NotAfter: Jul  2 15:43:31 2023 GMT
-----BEGIN CERTIFICATE-----
MIIGbjCCBVagAwIBAgISA5TFU8laeJ18w2GQlx6tuy0dMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA0MDMxNTQzMzJaFw0yMzA3MDIxNTQzMzFaMBkxFzAVBgNVBAMT
DnByb3Rvbm1haWwuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
02pamJxLHz82GB7zGLoTuWP5jTtCTWsdMPm+wa8V9gE+tJbiSJXvMYqgIIrzQmMZ
yq78MJsXaB4mIKhhRCfVyqnwzwpcGW8lLdsm5ryv+kZszRFSEE2rbIvtCMIYPwi+
OpRs/UXjEef5fVkv6sn9x9al6sawl0U1h252x7bQh/Y/0Hr25BfNk9q45GuPPE7d
b09OUr8x3RrfcagkzgKr5btdK55w/QLbNLhtPsXLOuxWALOGJfiP/Ceh+H1pMIKR
rZu+GnRrosD6gHdIVHLc9T+16oNjf7HT8RuLvatwKC5DFD27MUN9HgqrlN10tiCu
doEkGXY3aKnr7/1ZIw4/t0lISbhfdShsozwD824On4cYVbbWL+5pdyCFBwleVE/+
sOCtPMAa8CdTtQUQUsITyifUTqXBC375qxTGBEDjhueXSZdaT3/Tuy9d/nHmFs7m
VO0Bz58b/JJ3NWiuGf2DC1TFjOGgXqR9Zv/izQykMe5haIC9UxlPvLExtubeYQFk
VkxHxq+BdZURLo3fls9SfrPKfHd3KUOnlyYF867fEzqEk6YWpsoxtm237JU4qVc+
LjKhv0Bhms+oJaxImAL00ljB0py+LPIYdAnmjPIXM5wBePxFxGHfLQJBbVpDwKEU
OBaLHSaLMe+4DlPM/q0pDc1cABBmkO0nGTfPRXxO7QcCAwEAAaOCApUwggKRMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUMzYTyxxcer15nPvlHdurX8ZmQQYwHwYDVR0j
BBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsG
AQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
Ly9yMy5pLmxlbmNyLm9yZy8wZgYDVR0RBF8wXYIHKi5wbS5tZYIPKi5wcm90b25t
YWlsLmNoghAqLnByb3Rvbm1haWwuY29tgg4qLnByb3RvbnZwbi5jaIIPKi5wcm90
b252cG4uY29tgg5wcm90b25tYWlsLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3
BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
eXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AHoyjFTYty22IOo44FIe
6YQWcDIThU070ivBOlejUutSAAABh0gAnNIAAAQDAEYwRAIgC5S5gk2iIiVNcPOE
LFG0/3pj4p1g7/uYBv3TdnFbXNUCIAP2v0Q7uNEFAvD+PeAgdEJGEE2FOUMYTDvR
n/ZQsXwaAHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4AAAGHSACc
vAAABAMARzBFAiEAky0GCi+4f63YBuvF2fAULiy25rqaApkMhTRSpD1vYfwCIBER
LiXZLvdh5hiSwGwCuZ2FmBSQ9Ca1rF59ld6TI5mpMA0GCSqGSIb3DQEBCwUAA4IB
AQBDQBsrRBEgfsmnbE5SFuUhXDaJrhnuvhxUNBRITKe5VvDO7lQBYGPI9aodj/ao
wbRxwRhBLEp7AGkO3/KV+SoIqXjl4BxtF0mrHxwL2fLdevliHNqH8mK9ATOoYqiV
WQagJ7NQYakvx7n3CfaWsw8U/ZNAS3c0afuyyfw2iwbIo3T0wxr1QzEUEjjL5q+P
C98ukGJHE424f+qumsWhNgTQJT36LjX6xHTvkuCtw/HL51qudLAPcaF2PICJFQkC
JHRxhePBb4YYXrzts85FPysvbcdb2w+3EgrtjFP13XJ5D1D2QFMfVi7Pa4x7WhrG
UH7kBHKOQrUub0NFTGUI4Lqb
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = protonmail.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3977 bytes and written 433 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 65769AEE89A0AAFED72C18EEA579CADAF219DA79C02A9B740256D9D76268D112
    Session-ID-ctx:
    Resumption PSK: B4D6DF03084866B66E2BCFE72839587F2DE2640BCFB9BBBE890945DFAE1F8FF4830D8B9D61469DC8AFACE609EDF2E26B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f6 ed 5d ad 17 99 26 54-88 98 26 63 9f 66 83 29   ..]...&T..&c.f.)
    0010 - 53 c5 15 2d 91 59 14 6a-c5 2f 5f 8f 97 ad 73 cb   S..-.Y.j./_...s.
    0020 - d9 a8 9b 71 36 51 4b 9b-33 30 2f 8f 6c 64 9a ca   ...q6QK.30/.ld..
    0030 - 54 95 04 05 3b a3 d9 70-f2 ba 4a 27 7e a3 50 b2   T...;..p..J'~.P.
    0040 - ef 5e 5a df 5a f0 8e 82-31 25 f5 21 6c 96 e5 51   .^Z.Z...1%.!l..Q
    0050 - 95 f9 88 0f a7 4f d0 23-15 ad 99 01 d1 52 23 68   .....O.#.....R#h
    0060 - 87 53 ab bb 2c 76 8c 37-b1 bd 3c 6b 08 5d 32 2b   .S..,v.7..<k.]2+
    0070 - 73 b8 24 cd b8 b6 fb 8e-84 4e 47 30 b9 c9 35 4d   s.$......NG0..5M
    0080 - 6b 5d 16 d2 a2 11 42 b7-3a 64 a3 0f b0 33 8a 1a   k]....B.:d...3..
    0090 - 35 9c 5a 15 6d 06 16 cd-8b e2 53 ea df f2 47 26   5.Z.m.....S...G&
    00a0 - 50 09 b3 49 5a e4 a5 bd-7c 67 51 fd cc b3 c5 87   P..IZ...|gQ.....
    00b0 - 4d ea 8f 01 df 35 07 51-7c ca 1f 29 62 18 81 2a   M....5.Q|..)b..*
    00c0 - c9 d0 54 24 79 b6 dc d2-30 37 b1 e2 d4 77 f9 2a   ..T$y...07...w.*

    Start Time: 1685108185
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Snawoot commented 1 year ago

@GNU-Plus-Windows-User Thanks! No, nothing rings a bell. Probably some issue between postfix and protonmail servers.

bllfr0g commented 1 year ago

For funsies I just tried on my server and it worked fine:

2023-05-26T07:04:15.389071-07:00 rana postfix/smtp[3409983]: Verified TLS connection established to mail.protonmail.ch[176.119.200.128]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256

I'm guessing there is something in your postfix config that is preventing it from validating LetsEncrypt certificates. See if you can find another email server out there using letsencrypt and try sending mail there as a test.

GNU-Plus-Windows-User commented 1 year ago

@bllfr0g my main.cf is this, everything looks good to me but maybe you'll find something. I'll look for other email providers that uses let's encrypt certificates that I can send emails to in the meantime.

# --------------------
# INSTALL-TIME CONFIGURATION INFORMATION
#
# location of the Postfix queue. Default is /var/spool/postfix.
queue_directory = /var/spool/postfix

# location of all postXXX commands. Default is /usr/sbin.
command_directory = /usr/sbin

# location of all Postfix daemon programs (i.e. programs listed in the
# master.cf file). This directory must be owned by root.
# Default is /usr/libexec/postfix
daemon_directory = /usr/lib/postfix/sbin

# location of Postfix-writable data files (caches, random numbers).
# This directory must be owned by the mail_owner account (see below).
# Default is /var/lib/postfix.
data_directory = /var/lib/postfix

# owner of the Postfix queue and of most Postfix daemon processes.
# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
# Default is postfix.
mail_owner = postfix

# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases

# full pathname of the Postfix mailq command.  This is the Sendmail-compatible
# mail queue listing command.
mailq_path = /usr/bin/mailq

# group for mail submission and queue management commands.
# This must be a group name with a numerical group ID that is not shared with
# other accounts, not even with the Postfix account.
setgid_group = postdrop

# external command that is executed when a Postfix daemon program is run with
# the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

debug_peer_level = 2

# --------------------
# CUSTOM SETTINGS
#

# SMTP server response code when recipient or domain not found.
unknown_local_recipient_reject_code = 550

# Do not notify local user.
biff = no

# Disable the rewriting of "site!user" into "user@site".
swap_bangpath = no

# Disable the rewriting of the form "user%domain" to "user@domain".
allow_percent_hack = no

# Allow recipient address start with '-'.
allow_min_user = no

# Disable the SMTP VRFY command. This stops some techniques used to
# harvest email addresses.
disable_vrfy_command = yes

# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
inet_protocols = all

# Enable all network interfaces.
inet_interfaces = all

#
# TLS settings.
#
# SSL key, certificate, CA
#
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs/

#
# Disable SSLv2, SSLv3, TLSv1.0, TLSv1.1
#

smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

lmtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

#
# Fix 'The Logjam Attack'.
#
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA, ADH, 3DES, SRP, PSD, CAMELLIA, SEED
smtpd_tls_dh512_param_file = /etc/ssl/dhparms-4096.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dhparms-4096.pem

tls_preempt_cipherlist = yes

smtpd_tls_ciphers = low
smtp_tls_ciphers = low
smtpd_tls_mandatory_ciphers = high
smtp_tls_mandatory_ciphers = high

tls_low_cipherlist = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:TLS_AES_128_CCM_SHA256:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:DHE-RSA-ARIA128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305-SHA256:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-ARIA256-GCM-SHA384:DHE-RSA-AES-128GCM-SHA256:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CBC-SHA256:DHE-RSA-AES256-CBC-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-CBC-SHA256:DHE-RSA-AES128-CBC-SHA:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

smtpd_tls_eecdh_grade = auto
tls_eecdh_auto_curves = X25519 X448 prime256v1 secp384r1 secp521r1

tls_ssl_options = NO_COMPRESSION NO_RENEGOTIATION

tls_random_source = dev:/dev/urandom

# Log only a summary message on TLS handshake completion — no logging of client
# certificate trust-chain verification errors if client certificate
# verification is not required. With Postfix 2.8 and earlier, log the summary
# message, peer certificate summary information and unconditionally log
# trust-chain verification errors.
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption.
smtpd_tls_security_level = may

# Produce `Received:` message headers that include information about the
# protocol and cipher used, as well as the remote SMTP client CommonName and
# client certificate issuer CommonName.
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
#smtpd_tls_received_header = yes

# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext.
# References:
#   - http://www.postfix.org/TLS_README.html#client_tls_may
#   - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_tls_security_level = dane

smtp_dns_support_level = dnssec

# Use the same CA file as smtpd.
smtp_tls_CApath = /etc/ssl/certs/
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes

# Enable long, non-repeating, queue IDs (queue file names).
# The benefit of non-repeating names is simpler logfile analysis and easier
# queue migration (there is no need to run "postsuper" to change queue file
# names that don't match their message file inode number).
enable_long_queue_ids = yes

# Reject unlisted sender and recipient
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes

# Header and body checks with PCRE table
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre

# A mechanism to transform commands from remote SMTP clients.
# This is a last-resort tool to work around client commands that break
# interoperability with the Postfix SMTP server. Other uses involve fault
# injection to test Postfix's handling of invalid commands.
# Requires Postfix-2.7+.
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname

# Sender restrictions
smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    reject_unknown_reverse_client_hostname
    reject_unknown_client_hostname
    reject_unknown_sender_domain

# Recipient restrictions
smtpd_recipient_restrictions =
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_sender_access hash:/etc/postfix/sender_access.pcre
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_policy_service inet:127.0.0.1:12340

# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining

# SRS (Sender Rewriting Scheme) support
#sender_canonical_maps = tcp:127.0.0.1:7778
#sender_canonical_classes = envelope_sender
#recipient_canonical_maps = tcp:127.0.0.1:7779
#recipient_canonical_classes= envelope_recipient,header_recipient

proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps

# Avoid duplicate recipient messages. Default is 'yes'.
enable_original_recipient = no

# Virtual support.
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail

# Do not set virtual_alias_domains.
virtual_alias_domains =

#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
#          be forced to submit email through port 587 instead.
#
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes

# hostname
myhostname = mail.example.com
myorigin = mail.example.com
mydomain = mail.example.com

# trusted SMTP clients which are allowed to relay mail through Postfix.
#
# Note: additional IP addresses/networks listed in mynetworks should be listed
#       in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
#       for example:
#
#       MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 127.0.0.1 [::1]

# Accepted local emails
mydestination = $myhostname, localhost, localhost.localdomain

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

# Default message_size_limit.
message_size_limit = 15728640

# The set of characters that can separate a user name from its extension
# (example: user+foo), or a .forward file name from its extension (example:
# .forward+foo).
# Postfix 2.11 and later supports multiple characters.
recipient_delimiter = +

# The time after which the sender receives a copy of the message headers of
# mail that is still queued. Default setting is disabled (0h) by Postfix.
#delay_warning_time = 1h

# Do not display the name of the recipient table in the "User unknown" responses.
# The extra detail makes trouble shooting easier but also reveals information
# that is nobody elses business.
show_user_unknown_table_name = no
compatibility_level = 2
#
# Lookup virtual mail accounts
#
transport_maps =
    proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

sender_dependent_relayhost_maps =
    proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf

# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

virtual_mailbox_domains =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf

relay_domains =
    $mydestination
    proxy:mysql:/etc/postfix/mysql/relay_domains.cf

virtual_mailbox_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf

virtual_alias_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf

sender_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf

recipient_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf

#
# Postscreen
#
postscreen_greet_action = drop
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_threshold = 3
postscreen_greet_banner = $smtpd_banner

# Attention:
#   - zen.spamhaus.org free tire has 3 limits
#     (https://www.spamhaus.org/organization/dnsblusage/):
#
#     1) Your use of the Spamhaus DNSBLs is non-commercial*, and
#     2) Your email traffic is less than 100,000 SMTP connections per day, and
#     3) Your DNSBL query volume is less than 300,000 queries per day.
#
#   - FAQ: "Your DNSBL blocks nothing at all!"
#     https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
#
# It's strongly recommended to use a local DNS server for cache.

postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3

postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr

# Require Postfix-2.11+
postscreen_dnsbl_whitelist_threshold = -2

#
# Dovecot SASL support.
#
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

#
# mlmmj - mailing list manager
#
mlmmj_destination_recipient_limit = 1

#
# Amavisd + SpamAssassin + ClamAV
#
content_filter = smtp-amavis:[127.0.0.1]:10024

# Concurrency per recipient limit.
smtp-amavis_destination_recipient_limit = 1

smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix

I've checked the certificate for ISRG_ROOT_X1 and it's correct.

GNU-Plus-Windows-User commented 1 year ago

another question, are you on Ubuntu 22.04?

GNU-Plus-Windows-User commented 1 year ago

Ok by sheer dumb luck I found the issue changing smtp_tls_CAfile = $smtpd_tls_CAfile to smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt fixed the issue I will open an issue in iRedMail to get this fixed for other users Thank you for all of your help guys!

Snawoot / postfix-mta-sts-resolver

Email deliverability fails to protonmail.com #99