Zentyal Forum, Linux Small Business Server
Zentyal Server => Email and Groupware => Topic started by: thegeekmeister on March 30, 2016, 12:28:18 pm
-
See screenshot for the issue. This isn't an issue per-say, but it is for us since we are a billing processing company, and the execs see it as extremely important. So since google started flagging unencrypted emails I have everyone here freaking out and want it fixed asap.
How can I force my outgoing email to be TLS encrypted?
/etc/postfix/main.cf includes
smtpd_use_tls = yes
/etc/postfix/master.cf includes
smtp inet n - - - - smtpd
submission inet n - n - - smtpd -o smtpd_recipient_restrictions=submission_recipient_restrictions
tlsmgr unix - - - 1000? 1 tlsmgr
smtps inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Please let me know if you want to see any of my configs.
-
I've this problem too ..... >:( >:(
-
We can also reproduce this problem. :-\
-
I had the same issue last night. I followed this post and created hooks to modify the main.cf file.
http://blog.snapdragon.cc/2013/07/07/setting-postfix-to-encrypt-all-traffic-when-talking-to-other-mailservers/
In general the default Zentyal postfix and dovecot settings could go through a security hardening review. I have had to create quite a few hooks to handle optimizing security, getting signed SSL to work, improved multi-domain support, enabling dmarc, dkim, spf, limiting outbound mail header leakage, etc.
FYI, I prefer to use hooks over stubs since the stubs files get updated by Zentyal and if you dont re-merge your changes periodically other things may not work. Any modifications represent a risk on updates but I've had much fewer problems using hooks. It has forced me to get very familiar with sed and regex but well worth it. [Off soapbox but maybe it will save some others some pain].
-
One other thing I forgot to add. While the above technically solves the issue, you will see in the logs that Google's certs can't be verified. You need to also add these to your main.cf if you don't want the errors.
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = /etc/ssl/certs
-
Using hooks to edit main.cf is going to stop working relatively quickly in the life span of an email server. So there is a proper and pretty solid solution that is update and upgrade proof.
Issue the following commands:
1. sudo mkdir -p /etc/Zentyal/stubs
2. sudo mkdir -p /etc/Zentyal/stubs/openchange
3. sudo mkdir -p /etc/Zentyal/stubs/mail4. cp /usr/share/Zentyal/stubs/openchange/apache-ocsmanager.conf.mas /etc/Zentyal/stubs/openchange
5. cp /usr/share/Zentyal/stubs/mail/main.cf.mas /etc/Zentyal/stubs/mail
Now you have the 2 stub files necessary to make this all happen. These are Zentyal generated files and making copies in the /etc/Zentyal/stubs directory and subdirectories ensures they won't ever be overwritten by the system, but the system will use them over the ones under /usr/share/Zentyal/stubs.
Zentyal itself just makes a self signed certificate, that won't cut it in the real world, so you'll need a trusted 3rd party SSL that covers the following names for Zentyal Mail Servers:
yourdomain.com
hostname.yourname.com
autodiscover.yourdomain.com
Obviously replace hostname with your servers hostname and yourdomain.com with your actual TLD but leave autodiscover as is. You can get a Comodo Positive SAN SSL for around $50/year and it's done in a few minutes. You'll need your certificate file, your key file and your ca-bundle, put those in a secure directory on your server like /etc/apache2/ssl/cert.crt - cert.key & cert.ca-bundle
Then edit the 2 files you just copied:
1. sudo nano /etc/Zentyal/stubs/openchange/apache-ocsmanager.conf.mas
2. sudo nano /etc/Zentyal/stubs/mail/main.cf.mas
In each of them you will find a certificate refrence and it points to <% certfile %> (or something really similar to that) you'll edit it as follows (add the 2nd line and 3rd line)
certificatefile = <path to your .crt)>
CertificatKeyFile <path to your .key>
CertificateCAFile <path to your ca-bundle file>
I'm not sure if the main.cf.mas works exactly the same way but it's something VERY similar. Now restart OpenChange and Mail Modules:
1. sudo service Zentyal mail restart
2. sudo service Zentyal openchange restart
Now you've got a proper certificate file in place and your email server will work like a champion from here on out.
You may also want to find the line in main.cf.mas that sets up your SMTP banner it's something like smtpd_banner = <% destination %> ESMTP
Whatever the <% - - - %> says you can just change that to your FQDN. So if your hostname is "mail" and your TLD is "example.com" then you'd change it to "mail.example.com"
As long as you have your PTR setup properly and your SMTP banner matches then you're golden.
Hope this helps you get things properly fixed.
-
I have just installed Zentyal 6.0 what are the considerations or how to to get this working please. There is no openchange service. I have installed the Certificates with matching common names etc. Mail Server Diagnostics proves 100% and all in order but GMail still marks as SPAM because message is not encrypted.
Test Result
SMTP Reverse DNS Mismatch OK - 101.98.76.xyz resolves to mail.xyz.co.nz
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP Banner Check OK - Reverse DNS matches SMTP Banner
SMTP TLS OK - Supports TLS.
SMTP Connection Time 1.346 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 4.303 seconds - Good on Transaction Time
-
Please create an issue here: https://github.com/zentyal/zentyal/issues/
-
While not really solving your problem with this answer, I can suggest a work-around if you don't have a high email volume. https://www.mailgun.com/ (https://www.mailgun.com/) has a free tier up to 10k emails per month. I found it easy to configure with Zentyal.
-
Hi, halflife you can use Mailgun as smarthost for zentyal mail server?
-
Hello all,
this solution is ok for me
http://blog.snapdragon.cc/2013/07/07/setting-postfix-to-encrypt-all-traffic-when-talking-to-other-mailservers/ (http://blog.snapdragon.cc/2013/07/07/setting-postfix-to-encrypt-all-traffic-when-talking-to-other-mailservers/)
but i edit the
/etc/postfix/main.cf
add
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
then
postfix reload
everyting is working
but after restart, update, or something else i see that the main.cf is as before
without the
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
what i make wrong??
-
Also the same like before in this thread (zentyal 6.01)
sudo mkdir -p /etc/zentyal/stubs/mail
cp /usr/share/zentyal/stubs/mail/main.cf.mas /etc/zentyal/stubs/mail
then just edit and add what you want
nano /etc/zentyal/stubs/mail/main.cf.mas
after restart is the config loaded with your parameters