En mi servidor Postfix utilizo el puerto 465para envío y el puerto 25para retransmisión ("recepción de relé"y"envío de retransmisión"). Utilizo el puerto 993configurado en Dovecot para la "recuperación" de correo.
Cuando estaba configurando Postfix evité configurar puertos 25y 465el interior /etc/postfix/main.cf, lo cual sigue siendo simple:
smtpd_banner = $myhostname -------> "HELLO!"
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.domain.eu
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
myorigin = /etc/mailname
mydestination = $myhostname, tekpi-eu, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
mydomain = domain.eu
mynetworks_style = host
virtual_mailbox_base = /var/mail/
virtual_mailbox_domains = domain.eu
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailboxes
virtual_gid_maps = static:997
virtual_uid_maps = static:997
virtual_alias_maps = hash:/etc/postfix/virtual_aliases
Parece más lógico configurar individualmente los puertos 25& 465en /etc/postfix/master.cf.
smtp inet n - y - - smtpd
-o syslog_name=postfix/smtp
-o smtp_use_tls=yes
-o smtp_tls_loglevel=1
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
# -o smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-o smtp_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-o smtp_tls_cert_file=/etc/ssl/certs/server-rsa.cert
-o smtp_tls_key_file=/etc/ssl/private/server-rsa.key
-o smtp_tls_eccert_file=/etc/ssl/certs/server-ecdsa.cert
-o smtp_tls_eckey_file=/etc/ssl/private/server-ecdsa.key
#
-o smtpd_use_tls=yes
-o smtpd_tls_security_level=may
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-o smtpd_tls_cert_file=/etc/ssl/certs/server-rsa.cert
-o smtpd_tls_key_file=/etc/ssl/private/server-rsa.key
-o smtpd_tls_eccert_file=/etc/ssl/certs/server-ecdsa.cert
-o smtpd_tls_eckey_file=/etc/ssl/private/server-ecdsa.key
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=smtpd
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_use_tls=yes
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-o smtpd_tls_cert_file=/etc/ssl/certs/server-rsa.cert
-o smtpd_tls_key_file=/etc/ssl/private/server-rsa.key
-o smtpd_tls_eccert_file=/etc/ssl/certs/server-ecdsa.cert
-o smtpd_tls_eckey_file=/etc/ssl/private/server-ecdsa.key
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=smtpd
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
...
...
Que yo sepa en /etc/postfix/master.cf:
- comandos que comienzan con
-o smtpd_configurarentranteconexiones - comandos que comienzan con
-o smtp_configurarsalienteconexiones
Además, los parámetros que comienzan con -oaplicado después de la línea siguiente solo modifican el puerto 25:
smtp inet n - y - - smtpd
De manera similar, los parámetros que comienzan con -oaplicado después de la línea siguiente solo modifican el puerto 465:
smtps inet n - y - - smtpd
Como puede ver, he configurado un TLS obligatorio en el puerto25 salienteconexiones, pero cuando envío un correo electrónico a Gmail, el mensaje aparece etiquetado con una advertencia que dice:"Este mensaje no fue cifrado":
Si inspecciono el encabezado del correo electrónico, no hay signos de cifrado en el primer Receivedcampo:
Delivered-To: [email protected]
Received: by 2002:a50:a414:0:0:0:0:0 with SMTP id u20csp5876423edb;
Wed, 23 Dec 2020 10:04:30 -0800 (PST)
X-Google-Smtp-Source: ABdhPJz/H6LVTTELjEg4kyxfY5WvBpShW3zeBpEASR/dmz8FHcT8QBpRbaNbCdGaTON4PTFMXVds
X-Received: by 2002:a05:6402:366:: with SMTP id s6mr25548681edw.44.1608746670340;
Wed, 23 Dec 2020 10:04:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1608746670; cv=none;
d=google.com; s=arc-20160816;
b=0GELxkiim2MQGGCIrMsuVfXIiuzCbPnx6q6q7Sxuhssnb6XxCc1dtmsdUCVaGorqL/
NWMA9sBfBZkz2ZCb90AoAk4Tyi1YzYw3WVLblw2+xQkbq+JwuYwdAjEQj2i2EJlBI3Zk
KyYC2zfZqMkWMNRL27bI6pYwNtRYM7FifUeKmxaGuGuXv+7KY9wkrv9LTGI3a/UN634r
Mqhog1Em8L8uLys0tDlj9GB08ZO52pPw01vJNU1AXqwOeRVznF9FPwfzP6Pn1drc4cOM
x2vA5NJ+TgguOhqhgTSMW1hQrhNpyku3bYRW9PKQChZdHMowtSotpldYy1sJCf/VYeuA
6fGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-language:content-transfer-encoding:mime-version:user-agent
:date:message-id:subject:from:to;
bh=ZnLGQleFTlvpbWbWBAKrwartxhkzwpbLw0l/ILVPQLo=;
b=Lt/88Ansftfa790xIUJbRfnuHWadZtBq5QHPDlDjJeGLBlmrLiyfIlzG5xwZTkqZmY
XPImCgNHC+JfBDOhTFbiyahI7OMMAJGJAZDrr8K60TCztYqKE4Gkr6SZ7h3nAZVjLE8Y
QBr0NOHZSQkMac/3WKOU86NtPEJwIu53Is71ucdpvNvwj8U5XHDDK9zUw8rcO9XF9JL+
VUXTOhHmpEqhFgZDq+ldLANLkML+Ix/qvAnyb6JSss+rfsJO0h3Q2nh/LSQzbTFeWBbq
oGksWfsCX7L0cfSij1GLWwYJ+1RrT/UBdb9p6OIK7sV2IpzAFmLgdRHoV2XHuB3XYSDy
8gyw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of [email protected] designates 2a01:4f8:211:2a4::2 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=domain.eu
Return-Path: <[email protected]>
Received: from mail.domain.eu ([2a01:4f8:211:2a4::2])
by mx.google.com with ESMTP id j10si12321635ejf.404.2020.12.23.10.04.30
for <[email protected]>;
Wed, 23 Dec 2020 10:04:30 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 2a01:4f8:211:2a4::2 as permitted sender) client-ip=2a01:4f8:211:2a4::2;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 2a01:4f8:211:2a4::2 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=domain.eu
Received: from [192.168.64.100] (188-230-147-194.dynamic.t-2.net [188.230.147.194])
by mail.domain.eu (Postfix) with ESMTPSA id B486F15A1315
for <[email protected]>; Wed, 23 Dec 2020 19:04:29 +0100 (CET)
To: [email protected]
From: Z L <[email protected]>
Subject: TEST (mandatory TLS): domain --> gmail
Message-ID: <[email protected]>
Date: Wed, 23 Dec 2020 19:04:29 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
CONTENT TEXT
Tampoco hay señales de cifrado cuando me envío un correo electrónico a mí mismo. Aquí hay un ejemplo de fuente de correo electrónico:
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from [192.168.64.100] (unknown [188.230.147.194])
by mail.domain.eu (Postfix) with ESMTPSA id 3BE6015A132B
for <[email protected]>; Wed, 23 Dec 2020 23:03:15 +0100 (CET)
To: [email protected]
From: Z L <[email protected]>
Subject: TEST (mandatory TLS): domain --> domain
Message-ID: <[email protected]>
Date: Wed, 23 Dec 2020 23:03:14 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
CONTENT TEXT
TLS obligatorio funciona en el puerto 465. ¿Qué me equivoqué al configurar para que no funcione en el puerto 25? ¿Cómo puedo solucionar este problema para tener un TLS obligatorio o un TLS oportunista activado?25 salienteconexiones?
Respuesta1
Las smtp_directivas que configuran las conexiones salientes deben estar en main.cf, no en master.cf. Este último se ocupa exclusivamente de la conectividad entrante.