Home / server / Questions / 521162
In Process
Pol Hallen
Asked: 2013-07-06 11:45:38 +0800 CST

smtpd_tls_auth_only exclude 127.0.0.1

  • 772

I configurated postfix to force uses TLS. When an external client try to send an email using this server there is not any problems. But using webmail (127.0.0.1) postfix wants TLS:

delivery temporarily suspended: TLS is required, but was not offered by host 127.0.0.1[127.0.0.1])

Which changes I need to do to master.cf?

smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/xxx.key
smtpd_tls_cert_file = /etc/postfix/ssl/xxx.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
postfix

3 Answers

  1. You could:

    1. smtp_tls_security_level = may
      This will allow your server to deliver mail to hosts that don't offer TLS or hosts with bad certificates (as it would otherwise retry unencrypted).
    2. smtpd_tls_security_level = may This will cause your server to offer TLS encryption to clients on any listening port.
    3. smtpd_tls_security_level = encrypt This will cause your server to require TLS encryption from all client on any listening port.

    For internet hosts it's common to do both 1 and 2, but you know your requirements better than I do.

    • 4

  2. I doubt you can do that without running a second instance of postfix with smtpd_tls_auth_only set to no and then change the webmail software to send mail to that instance instead.

    You might consider reconfiguring the webmail to use TLS instead if possible or to deliver mail directly locally instead of using a TCP connection.

    • 2

  3. stunnel will fix this. It creates an SSL(TLS) connection to postfix:

    http://www.stunnel.org/examples/

    • 0