Author Topic: Outgoing mail isn't being sent with TLS, causing gmail to flag it...  (Read 1407 times)

thegeekmeister

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
See screenshot for the issue.  This isn't an issue per-say, but it is for us since we are a billing processing company, and the execs see it as extremely important.  So since google started flagging unencrypted emails I have everyone here freaking out and want it fixed asap.

How can I force my outgoing email to be TLS encrypted?

/etc/postfix/main.cf includes

Quote
smtpd_use_tls = yes

/etc/postfix/master.cf includes

Quote
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       n       -       -       smtpd -o smtpd_recipient_restrictions=submission_recipient_restrictions
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Please let me know if you want to see any of my configs.
« Last Edit: March 30, 2016, 12:34:09 pm by thegeekmeister »

albert4565

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
I've this problem too .....   >:( >:(

TQx

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
We can also reproduce this problem.  :-\

igp

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Outgoing mail isn't being sent with TLS, causing gmail to flag it...
« Reply #3 on: June 15, 2016, 01:13:54 am »
I had the same issue last night.  I followed this post and created hooks to modify the main.cf file.

http://blog.snapdragon.cc/2013/07/07/setting-postfix-to-encrypt-all-traffic-when-talking-to-other-mailservers/

In general the default Zentyal postfix and dovecot settings could go through a security hardening review.   I have had to create quite a few hooks to handle optimizing security, getting signed SSL to work, improved multi-domain support, enabling dmarc, dkim, spf, limiting outbound mail header leakage, etc. 

FYI, I prefer to use hooks over stubs since the stubs files get updated by Zentyal and if you dont re-merge your changes periodically other things may not work.  Any modifications represent a risk on updates but I've had much fewer problems using hooks.  It has forced me to get very familiar with sed and regex but well worth it.  [Off soapbox but maybe it will save some others some pain].

igp

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Outgoing mail isn't being sent with TLS, causing gmail to flag it...
« Reply #4 on: June 15, 2016, 03:17:20 am »
One other thing I forgot to add.  While the above technically solves the issue, you will see in the logs that Google's certs can't be verified.  You need to also add these to your main.cf if you don't want the errors.
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = /etc/ssl/certs

trysomething

  • Zen Warrior
  • ***
  • Posts: 119
  • Karma: +5/-0
  • Founder of The Tiki Lab
    • View Profile
    • The Tiki Lab | Bridging the gap between technology and vision impairment!
Re: Outgoing mail isn't being sent with TLS, causing gmail to flag it...
« Reply #5 on: June 15, 2016, 11:51:40 pm »
Using hooks to edit main.cf is going to stop working relatively quickly in the life span of an email server.  So there is a proper and pretty solid solution that is update and upgrade proof.
Issue the following commands:
1.  sudo mkdir -p /etc/Zentyal/stubs
2. sudo mkdir -p /etc/Zentyal/stubs/openchange
3.  sudo mkdir -p /etc/Zentyal/stubs/mail4.  cp /usr/share/Zentyal/stubs/openchange/apache-ocsmanager.conf.mas /etc/Zentyal/stubs/openchange
5.  cp /usr/share/Zentyal/stubs/mail/main.cf.mas /etc/Zentyal/stubs/mail

Now you have the 2 stub files necessary to make this all happen.  These are Zentyal generated files and making copies in the /etc/Zentyal/stubs directory and subdirectories ensures they won't ever be overwritten by the system, but the system will use them over the ones under /usr/share/Zentyal/stubs.
Zentyal itself just makes a self signed certificate, that won't cut it in the real world, so you'll need a trusted 3rd party SSL that covers the following names for Zentyal Mail Servers:
yourdomain.com
hostname.yourname.com
autodiscover.yourdomain.com
Obviously replace hostname with your servers hostname and yourdomain.com with your actual TLD but leave autodiscover as is.  You can get a Comodo Positive SAN SSL for around $50/year and it's done in a few minutes.  You'll need your certificate file, your key file and your ca-bundle, put those in a secure directory on your server like /etc/apache2/ssl/cert.crt - cert.key & cert.ca-bundle
Then edit the 2 files you just copied:
1.  sudo nano /etc/Zentyal/stubs/openchange/apache-ocsmanager.conf.mas
2.  sudo nano /etc/Zentyal/stubs/mail/main.cf.mas

In each of them you will find a certificate refrence and it points to <% certfile %> (or something really similar to that) you'll edit it as follows (add the 2nd line and 3rd line)
certificatefile = <path to your .crt)>
CertificatKeyFile <path to your .key>
CertificateCAFile <path to your ca-bundle file>

I'm not sure if the main.cf.mas works exactly the same way but it's something VERY similar.  Now restart OpenChange and Mail Modules:
1.  sudo service Zentyal mail restart
2.  sudo service Zentyal openchange restart

Now you've got a proper certificate file in place and your email server will work like a champion from here on out.
You may also want to find the line in main.cf.mas that sets up your SMTP banner it's something like smtpd_banner = <% destination %> ESMTP
Whatever the <% - - - %> says you can just change that to your FQDN.  So if your hostname is "mail" and your TLD is "example.com" then you'd change it to "mail.example.com"
As long as you have your PTR setup properly and your SMTP banner matches then you're golden.
Hope this helps you get things properly fixed.
You will have to excuse my posts not having actual links in them.  I'm blind and can never find that insert hyperlink button LoL.  If you, or someone you know has vision problems check out The Tiki Lab.

compuit

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Outgoing mail isn't being sent with TLS, causing gmail to flag it...
« Reply #6 on: November 14, 2018, 04:39:15 am »
I have just installed Zentyal 6.0 what are the considerations or how to to get this working please. There is no openchange service. I have installed the Certificates with matching common names etc. Mail Server Diagnostics proves 100% and all in order but GMail still marks as SPAM because message is not encrypted.
    Test                                                              Result
   SMTP Reverse DNS Mismatch    OK - 101.98.76.xyz resolves to mail.xyz.co.nz
   SMTP Valid Hostname            OK - Reverse DNS is a valid Hostname
   SMTP Banner Check                    OK - Reverse DNS matches SMTP Banner
   SMTP TLS                                    OK - Supports TLS.
   SMTP Connection Time            1.346 seconds - Good on Connection time
   SMTP Open Relay                    OK - Not an open relay.
   SMTP Transaction Time            4.303 seconds - Good on Transaction Time
« Last Edit: November 14, 2018, 04:42:19 am by compuit »

Neustradamus

  • Zen Monk
  • **
  • Posts: 63
  • Karma: +0/-2
    • View Profile
Re: Outgoing mail isn't being sent with TLS, causing gmail to flag it...
« Reply #7 on: November 15, 2018, 01:19:26 am »
Please create an issue here: https://github.com/zentyal/zentyal/issues/

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 860
  • Karma: +57/-0
    • View Profile
Re: Outgoing mail isn't being sent with TLS, causing gmail to flag it...
« Reply #8 on: November 26, 2018, 01:14:58 am »
While not really solving your problem with this answer,  I can suggest a work-around if you don't have a high email volume.  https://www.mailgun.com/ has a free tier up to 10k emails per month.  I found it easy to configure with Zentyal.