I am having strange problems with my postfix setup. Everything seems to work fine other then I am not able to receive emails from google.com:
Aug 29 11:39:38 mx postfix/smtpd[1055]: connect from mail-ed1-f41.google.com[209.85.208.41]
Aug 29 11:39:38 mx postfix/smtpd[1055]: Trusted TLS connection established from mail-ed1-f41.google.com[209.85.208.41]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256
Aug 29 11:39:38 mx postfix/smtpd[1055]: lost connection after STARTTLS from mail-ed1-f41.google.com[209.85.208.41]
Aug 29 11:39:38 mx postfix/smtpd[1055]: disconnect from mail-ed1-f41.google.com[209.85.208.41] ehlo=1 starttls=1 commands=2
I am able to send email to them. Sending to all other domains is fine. Here is my config:
root@mx# postconf -n
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
default_destination_concurrency_limit = 1
default_process_limit = 100
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
header_size_limit = 51200
inet_interfaces = [removed]
inet_protocols = ipv4, ipv6
initial_destination_concurrency = 1
mailbox_size_limit = 0
message_size_limit = 200480000
milter_connect_macros = i b j _ {daemon_name} {if_name} {client_addr}
milter_default_action = accept
milter_protocol = 2
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = localhost, mx.[removed]
mydomain = [removed]
myhostname = mx.[removed]
mynetworks = [removed]
myorigin = [removed]
non_smtpd_milters = inet:localhost:12301
queue_minfree = 300720000
readme_directory = no
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
relayhost = [smtp.mailgun.org]:587
smtp_connect_timeout = 120s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:[removed]
smtp_sasl_security_options = noanonymous
smtp_tls_ciphers = high
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = Welcome.
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
smtpd_milters = unix:/milter-greylist/milter-greylist.sock, unix:/spamass/spamass.sock, inet:localhost:12301
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/[removed]/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/certs/dhparams.pem
smtpd_tls_key_file = /etc/letsencrypt/live/[removed]/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
spamassassin_destination_recipient_limit = 1
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:3000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:3000
Any ideas ?
Never mind - I have found the problem - MTA_STS policy was to blame