Home / server / Questions / 757664
Accepted
gavanon
Asked: 2016-02-17 14:40:49 +0800 CST

Gmail flagging Dovecot email as insecure

  • 772

I thought I successfully secured my Postfix/Dovecot email server. I have a signed certificate from LetsEncrypt, which is valid for my domain.

Sending & receiving works fine, but since Gmail started flagging insecure emails, all mail sent from my server are flagged as unencrypted.

Gmail users see "This message wasn't encrypted", like this:

enter image description here

In Postfix's main.cf, among other settings, I have:

# SASL, for SMTP authentication
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth

# TLS, for encryption
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_CAfile = /etc/letsencrypt/live/mydomain.com/chain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem
tls_random_source = dev:/dev/urandom
smtpd_client_new_tls_session_rate_limit = 10
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_exclude_ciphers =
    EXP
    EDH-RSA-DES-CBC-SHA
    ADH-DES-CBC-SHA
    DES-CBC-SHA
    SEED-SHA
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_delay_reject = yes

In Postfix's master.cf, among other settings, I have:

smtp      inet  n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_use_tls=yes
  -o smtpd_tls_security_level=encrypt

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o broken_sasl_auth_clients=yes

In Dovecot's 10-ssl.conf, among other settings, I have:

ssl = required
ssl_ca = </etc/letsencrypt/live/mydomain.com/chain.pem
ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem

Is Gmail falsely flagging LetsEncrypt certificates because it doesn't trust them, or is my email really being sent unencrypted?

ubuntu

3 Answers

  1. Best Answer

    I solved this by adding both these lines to Postfix's main.cf:

    smtp_tls_security_level = may
smtpd_tls_security_level = may

    (I had only set smtpd_tls_security_level because of a misleading article that said all smtp_ values were depreciated in favour of smtpd_.)

    • 11

  2. Your email is sent unencrypted. If you just want to try your best add the following to your main.cf

    smtp_tls_security_level = may

    To enforce TLS encryption for email sent to google add this to your main.cf

    # Force TLS for outgoing server connection
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_CApath = /etc/postfix/rootcas/

    replace /etc/postfix/rootcas/ with the location of your trusted Root CAs and in the file /etc/postfix/tls_policy add

    #/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
gmail.com       secure ciphers=high
google.com      secure ciphers=high
googlemail.com  secure ciphers=high

    this will enforce that email sent to gmail.com., google.com and googlemail.com are sent encrypted and authenticating the SMTP server

    If you don´t want to authenticate and just encrypt (this is is necessary for sites with bogus certificates) use

    gmail.com       encrypt ciphers=high
google.com      encrypt ciphers=high
googlemail.com  encrypt ciphers=high

    before restarting postfix execute

    postmap /etc/postfix/tls_policy
    • 7

  3. Consider the client/server relationship with regards to SMTP and the settings make sense:

    2.1. Basic Structure

    The SMTP design can be pictured as:

                  +----------+                +----------+
  +------+    |          |                |          |
  | User |<-->|          |      SMTP      |          |
  +------+    |  Client- |Commands/Replies| Server-  |
  +------+    |   SMTP   |<-------------->|    SMTP  |    +------+
  | File |<-->|          |    and Mail    |          |<-->| File |
  |System|    |          |                |          |    |System|
  +------+    +----------+                +----------+    +------+
               SMTP client                SMTP server

    (Src: rfc5321.txt)

    Thus:

    "smtp_tls_security_level" is for the Postfix SMTP client. See: http://www.postfix.org/postconf.5.html#smtp_tls_security_level

    "smtpd_tls_security_level" is for the Postfix SMTP server See: http://www.postfix.org/postconf.5.html#smtpd_tls_security_level

    When postfix is transferring mail to gmail, the smtp_tls_security_level setting is the associated setting.

    When postfix is receiving mail over smtp, the smtpd_tls_security_level setting is relevant.

    • 5