Setup Postfix to send out email

[aksiksi]

For example, we may want to setup a mailing list and send out emails. This requires some tuning on Postfix side to limit concurrent emails to same domain.

In addition:

1. DKIM
2. SPF
3. Proper TLS

[aksiksi]

Also, needs SASL enabled to allow external clients to authenticate with the mail server. See: http://www.postfix.org/SASL_README.html

[aksiksi]

Useful links to configure SASL (Cyrus):

• https://blog.tinned-software.net/setup-postfix-with-smtp-auth-and-tls-on-centos/
• http://www.postfix.org/SASL_README.html
• https://serverfault.com/a/988999

Useful Postfix links:

• https://security.stackexchange.com/questions/58857/test-starttls-configuration-of-smtp-server
• https://serverfault.com/a/547851
• https://security.stackexchange.com/a/59145
• https://rudd-o.com/linux-and-free-software/setting-up-a-mail-server-using-postfix-in-5-minutes

[aksiksi]

Example of using openssl to verify Postfix TLS config:

$ openssl s_client -connect mail.example.net:587 -starttls smtp
AUTH PLAIN [base64 user/pass]
235 2.7.0 Authentication successful
MAIL FROM: <support@example.net>
250 2.1.0 Ok
rcpt to: <check@ssl-tools.net>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: <support@example.net>
To: <check@ssl-tools.net>
Subject: Test!
.
250 2.0.0 Ok: queued as D0FF821522
QUIT
DONE

If you hit an error right after RCPT TO, just change it to lowercase:

139842432055104:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl version:ssl/ssl_lib.c:2118:

Postfix log

Here is Postfix log.

Terminal

Sep 25 00:34:34 localhost postfix/smtps/smtpd[31066]: connect from localhost[127.0.0.1] Sep 25 00:34:34 localhost postfix/smtps/smtpd[31066]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Sep 25 00:34:43 localhost postfix/smtps/smtpd[31066]: lost connection after MAIL from localhost[127.0.0.1] Sep 25 00:34:43 localhost postfix/smtps/smtpd[31066]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 commands=2

Solution

The cause is OpenSSL side. Add -quiet option to openssl command

While connecting by OpenSSL in terminal, OpenSSL would be recognized TLS renegotiation if the first character of standard input is "R".

Terminal

openssl s_client -connect localhost:465 -quiet

Enter RCPT command in lowercase

Terminal

// RCPT TO:info@localhost rcpt to:info@localhost

Verify your domain here: https://ssl-tools.net/mailservers/