Results 1 to 3 of 3

Thread: TLS disabled in Postfix smtp client after install & upgrade (smtp_tls_security_level)

  1. #1
    nix
    nix is offline Member
    Join Date
    May 2010
    Location
    Australia
    Posts
    11
    Rep Power
    5

    Default TLS disabled in Postfix smtp client after install & upgrade (smtp_tls_security_level)

    I can't for the life of me understand why ZCS does not ship with the following Postfix configuration option set to "may" and why it is cleared after an upgrade!
    Code:
    zimbra@host:~$ postconf smtp_tls_security_level
    smtp_tls_security_level =
    
    zimbra@host:~$ zmlocalconfig postfix_smtp_tls_security_level
    Warning: null valued key 'postfix_smtp_tls_security_level'
    I'd file a bug report but want to make sure other users experience this as well.
    Or is there a good reason for SENDING ALL OUTGOING EMAIL IN CLEARTEXT even if the receiving smtpd server supports SSL / TLS ?
    Is this happening for anyone else?
    Is it like this only in the OSE?

    To enable opportunistic TLS for the Postfix SMTP client (smtp):
    Code:
    zimbra@host:~$ zmlocalconfig -e postfix_smtp_tls_security_level=may
    zimbra@host:~$ postconf -e smtp_tls_CAfile=/opt/zimbra/zimbramon/lib/Mozilla/CA/cacert.pem
    zimbra@host:~$ postconf -e smtp_tls_loglevel=1
    The first line above enables opportunistic TLS, i.e. if the receiving smtpd server supports TLS/SSL, message delivery to that server will be encrypted, otherwise it will be sent in cleartext - hence opportunistic.
    Note: Zimbra's config (re)writer recognises this configuration option and will transpose it in to main.cf (after removing the postfix_ prefix) and reload postfix configuration automatically.
    The second line isn't strictly needed but should be executed so that Postfix can 'trust' other smtpd server's certificates (looks better in logs). If it can't 'trust' them, encryption still occurs but as 'untrusted'.
    The third line, so you can monitor /var/log/zimbra.log to make sure TLS is being used on outgoing emails.
    Note: The latter configuration options are NOT recognised by Zimbra's config (re)writer hence why you must use postconf rather than zmlocalconfig - which means you'll have to do this all over again after upgrade - until this is fixed!

    You should now see this in your logs when you send an email from ZCS:

    Code:
    May 13 12:11:10 host postfix/smtp[1234]: Trusted TLS connection established to mail.example.com[xx.xx.xx.xx]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
    Am I going mad?

  2. #2
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,281
    Rep Power
    10

    Default

    You fail to state a ZCS version. postfix_smtp_tls_security_level is a localconfig key is ZCS 8.0.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    nix
    nix is offline Member
    Join Date
    May 2010
    Location
    Australia
    Posts
    11
    Rep Power
    5

    Default

    Sorry - have added version to signature. Upgrade was from ZCS OSE 7.2.3.

    postfix_smtp_tls_security_level is a localconfig key is ZCS 8.0.
    I realise this but one would have thought that opportunistic TLS would be enabled by default.
    The smtp_tls_CAfile config variable is also blank by default which really should contain a CA bundle to verify server certificates.
    I had a hunt around /opt/zimbra and there are a few CA bundles floating around but surprisingly none in the ssl/ directory.

    n.
    Last edited by nix; 05-14-2013 at 04:39 AM.
    Release 8.0.3.GA.5664.UBUNTU12.64 UBUNTU12_64 FOSS edition.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 0
    Last Post: 05-12-2013, 10:51 PM
  2. Zimbra Web Client on Postfix or Exim4
    By Naspar in forum Installation
    Replies: 7
    Last Post: 11-03-2010, 04:32 AM
  3. SMTP authentication for zimbra postfix
    By Vivek k c in forum Administrators
    Replies: 14
    Last Post: 11-18-2008, 08:37 PM
  4. Changing postfix smtp
    By Henrik in forum Administrators
    Replies: 0
    Last Post: 10-09-2006, 05:06 AM
  5. postfix/smtp timeout
    By ggpanta in forum Administrators
    Replies: 5
    Last Post: 10-03-2006, 06:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •