Open asmaack opened 3 years ago
see #1832
If anybody wants to give a hand pls let me now.
Other than that: please also have a look at my comment.
You have some redundancy in your setup. Your first three lines are ignored whenever the tls_security_level option is used.
From Official Postfix Manual:
smtp_tls_security_level (default: empty)
The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
I had already changed my Postfix config to make it more up-to-date. My current config (main.cf) is:
# TLS parameters and certificates
#smtpd_use_tls=yes
#smtpd_enforce_tls=yes
#smtp_enforce_tls=yes
smtp_tls_security_level = encrypt
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/letsencrypt/live/mx.maack.me/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mx.maack.me/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mx.maack.me/chain.pem
testssl.sh 3.1dev will still report my server with "Grade capped to T. Encryption via STARTTLS is not mandatory (opportunistic)."
can't speak to why that would be. Your certfile should be /cert.pem instead of /fullchain.pem. (fullchain = cert + chain). However, the config you are using there in the last three lines is also outdated, although still functional. smtpd_tls_chain_files is preferred now instead:
**smtpd_tls_cert_file (default: empty)
File with the Postfix SMTP server RSA certificate in PEM format. This file may also contain the Postfix SMTP server private RSA key. With Postfix ≥ 3.4 the preferred way to configure server keys and certificates is via the "smtpd_tls_chain_files" parameter.**
You could also try sending yourself an email with a client that has tls disabled and see if your server accepts it.
My SMTP email server "mx.maack.me" is Postfix on Ubuntu Server 20.04.
My Postfix server is configured with tls parameters to enforce tls for/from both ends:
When testing by hand, it seems indeed STARTTLS is enforced (mandatory):
(don't fret, the username-password string is dummy)
When I execute a testssl.sh scan I get the result that STARTTLS is not mandatory:
My system):
Ubuntu 20.04.1 LTS
Linux 5.4.0-1026-raspi aarch64
testssl.sh 3.1dev from https://testssl.sh/dev/ (b8b23b9 2021-01-05 15:27:40 -- )
/opt/testssl.sh/bin/openssl.Linux.x86_64