foxcpp / maddy

✉️ Composable all-in-one mail server.
https://maddy.email
GNU General Public License v3.0
5.07k stars 244 forks source link

min_tls_level ignored (required_tls_level: encrypted) #717

Open lukastribus opened 3 months ago

lukastribus commented 3 months ago

Describe the bug

Despite commenting dane and mtasts, setting protocols tls1.0 tls1.3 in tls_client and setting local_policy to:

local_policy {
    min_tls_level none
    min_mx_level none
}

I cannot figure out a way to send emails to:

please-ignore@lists.denog.de (TLSv1.0, self signed cert)
please-ignore@1wt.eu (no TLS support)

I keep hitting TLS errors:

Jul 15 15:58:48 htznr2 maddy[923]: remote: cannot use MX        {"domain":"lists.denog.de","msg_id":"e693452d-66952b17","reason":"TLS it not available or unauthenticated but required","remote_server":"mail1.cluenet.de.","required_tls_level":"encrypted","smtp_code":451,"smtp_enchcode":"4.7.1","smtp_msg":"TLS it not available or unauthenticated but required","tls_err":"tls: server selected unsupported protocol version 301","tls_level":"none"}

Jul 15 15:59:04 htznr2 maddy[923]: remote: cannot use MX        {"domain":"1wt.eu","msg_id":"5fe3eac8-66952b14","reason":"TLS it not available or unauthenticated but required","remote_server":"mail.1wt.eu.","required_tls_level":"encrypted","smtp_code":451,"smtp_enchcode":"4.7.1","smtp_msg":"TLS it not available or unauthenticated but required","tls_err":null,"tls_level":"none"}

Log says "required_tls_level":"encrypted" despite all my attempts at configuring maddy to ignore it, including min_tls_level and min_mx_level.

Is this a bug or am I doing something wrong in the configuration file?

Steps to reproduce

Send email through maddy To:

please-ignore@lists.denog.de (TLSv1.0, self signed cert)
please-ignore@1wt.eu (no TLS support)

Log files

See above.

Configuration file

## Maddy Mail Server - default configuration file (2022-06-18)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddy subcommands.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.

# ----------------------------------------------------------------------------
# Base variables

$(hostname) = server2.example.eu
$(primary_domain) = example.eu
$(local_domains) = example.eu sand.example.eu
#debug yes

tls file /etc/maddy/certs/$(hostname)/fullchain.pem /etc/maddy/certs/$(hostname)/privkey.pem

# ----------------------------------------------------------------------------
# Local storage & authentication

# pass_table provides local hashed passwords storage for authentication of
# users. It can be configured to use any "table" module, in default
# configuration a table in SQLite DB is used.
# Table can be replaced to use e.g. a file for passwords. Or pass_table module
# can be replaced altogether to use some external source of credentials (e.g.
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddy creds' command.

auth.pass_table local_authdb {
    table sql_table {
        driver sqlite3
        dsn credentials.db
        table_name passwords
    }
}

# imapsql module stores all indexes and metadata necessary for IMAP using a
# relational database. It is used by IMAP endpoint for mailbox access and
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddy.

storage.imapsql local_mailboxes {
    driver sqlite3
    dsn imapsql.db
}

# ----------------------------------------------------------------------------
# SMTP endpoints + message routing

hostname $(hostname)

table.chain local_rewrites {
    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
    optional_step static {
        entry postmaster postmaster@$(primary_domain)
    }
    optional_step file /etc/maddy/aliases
}

msgpipeline local_routing {
    # Insert handling for special-purpose local domains here.
    # e.g.
    # destination lists.example.org {
    #     deliver_to lmtp tcp://127.0.0.1:8024
    # }

    destination postmaster $(local_domains) {
        modify {
            replace_rcpt &local_rewrites
        }

        deliver_to &local_mailboxes
    }

    default_destination {
        reject 550 5.1.1 "User doesn't exist"
    }
}

smtp tcp://127.0.0.1:25 {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections.
        all rate 20 1s
        all concurrency 10
    }

    dmarc yes
    check {
        require_mx_record
        dkim
        spf
    }
    source $(local_domains) {
        reject 501 5.1.8 "Use Submission for outgoing SMTP"
    }
    default_source {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.1.1 "User doesn't exist"
        }
    }
}

submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
    limits {
        # Up to 50 msgs/sec across any amount of SMTP connections.
        all rate 50 1s
    }

    auth &local_authdb

    source $(local_domains) {
        check {
            authorize_sender {
                prepare_email &local_rewrites
                user_to_email static { entry lukas@example.eu * }
                #user_to_email identity
            }
        }

        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            modify {
                dkim $(primary_domain) $(local_domains) server2A
            }
            deliver_to &remote_queue
        }
    }
    default_source {
        reject 501 5.1.8 "Non-local sender domain"
    }
}

target.remote outbound_delivery {
    debug yes
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections
        # for each recipient domain.
        destination rate 20 1s
        destination concurrency 10
    }
    mx_auth {
        #dane
        #mtasts {
        #    cache fs
        #    fs_dir mtasts_cache/
        #}
        local_policy {
            min_tls_level none
            min_mx_level none
        }
    }
    tls_client {
        protocols tls1.0 tls1.3
    }
}

target.queue remote_queue {
    max_tries 3
    target &outbound_delivery

    autogenerated_msg_domain $(primary_domain)
    bounce {
        modify {
                replace_sender static { entry "" "MAILER-DAEMON@example.eu" }
        }
        destination $(local_domains) {
            modify {
                dkim $(primary_domain) $(local_domains) server2A
            }

            deliver_to &remote_queue

        }
        default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
        }
    }
}

# ----------------------------------------------------------------------------
# IMAP endpoints

imap tls://127.0.0.1:993 tcp://127.0.0.1:143 {
    auth &local_authdb
    storage &local_mailboxes
}

Environment information