Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments
    • Tags

    Postfix TLS connection

    Posted on

    I am trying to use TLS for inbound emails relay. It works on unencrypted emails, but when using TLS, I am getting errors:

    AutomatedQITReport.sendFailureNotificationEmail: System.Net.Mail.SmtpException: Client does not have permission to submit mail to this server. The server response was: 4.7.0 TLS not available due to local problem

    when I tried:

    openssl s_client -starttls smtp -connect server-test.domain:587
    Connecting to 10.10.10.8
    CONNECTED(00000003)

    00EE19CBE87F0000:error:0A00010B:SSL routines:tls_validate_record_header:wrong version number:ssl/record/methods/tlsany_meth.c:80:

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 274 bytes and written 314 bytes

    Verification: OK

    New, (NONE), Cipher is (NONE)
    This TLS version forbids renegotiation.
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent

    Verify return code: 0 (ok)

    On the log:

    [root@server-test log]# cat /var/log/maillog

    Jan 31 15:51:25 server-test postfix/smtpd[100729]: warning: Both smtpd_tls_chain_files and one or more of the legacy smtpd_tls_cert_file, smtpd_tls_eccert_file or smtpd_tls_dcert_file are non-empty; the legacy parameters will be ignored
    Jan 31 15:51:25 server-test postfix/smtpd[100729]: warning: error loading chain from /etc/pki/tls/certs/server-test.pem: key not first
    Jan 31 15:51:25 server-test postfix/smtpd[100729]: warning: error loading private keys and certificates from: /etc/pki/tls/certs/server-test.pem: disabling TLS support
    Jan 31 15:51:25 server-test postfix/smtpd[100729]: connect from server-test.nj.core.him[192.60.36.80]
    Jan 31 15:51:25 server-test postfix/smtpd[100729]: lost connection after STARTTLS from server-test.domain
    Jan 31 15:51:25 server-test postfix/cleanup[100731]: CEDB518137254: message-id=20250131205125.CEDB518137254@gdomain.com
    Jan 31 15:51:25 server-test postfix/qmgr[93370]: CEDB518137254: from=double-bounce@domain.com, size=1049, nrcpt=1 (queue active)
    Jan 31 15:51:25 server-test postfix/smtpd[100729]: disconnect from server-test.domain[10.10.10.8] ehlo=1 starttls=0/1 commands=1/2
    Jan 31 15:51:26 server-test postfix/smtp[100733]: Trusted TLS connection established to outbound.mailhop.org[54.200.129.228]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256
    Jan 31 15:51:27 server-test postfix/smtp[100733]: CEDB518137254: to=postmaster@domain.com, orig_to=, relay=outbound.mailhop.org[54.200.129.228]:25, delay=1.7, delays=0.01/0.02/0.78/0.87, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 231b54e1-e015-11ef-a3e8-031ca0eac13f)
    Jan 31 15:51:27 server-test postfix/qmgr[93370]: CEDB518137254: removed

    the main.cf

    compatibility_level = 2

    queue_directory = /var/spool/postfix

    command_directory = /usr/sbin

    daemon_directory = /usr/libexec/postfix

    data_directory = /var/lib/postfix

    mail_owner = postfix

    myhostname = gainwelltechnologies.com

    inet_protocols = all

    mydestination =

    alias_maps = hash:/etc/aliases

    alias_database = hash:/etc/aliases

    debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

    sendmail_path = /usr/sbin/sendmail.postfix
    newaliases_path = /usr/bin/newaliases.postfix
    mailq_path = /usr/bin/mailq.postfix

    setgid_group = postdrop

    html_directory = no

    manpage_directory = /usr/share/man

    sample_directory = /usr/share/doc/postfix/samples

    readme_directory = /usr/share/doc/postfix/README_FILES

    smtpd_tls_cert_file = /etc/pki/tls/certs/server-test.pem

    smtpd_tls_key_file = /etc/pki/tls/private/server-test.key

    smtpd_tls_chain_files = /etc/pki/tls/certs/server-test.pem

    smtp_tls_CApath = /etc/pki/tls/certs

    smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

    meta_directory = /etc/postfix
    shlib_directory = /usr/lib64/postfix

    meta_directory = /etc/postfix
    mydomain = nowhere.com
    local_transport = error: this is a null client
    myorigin = $mydomain
    mynetworks = 10.10.10.0/24

    relayhost = [mail.nowhere.org]
    disable_dns_lookups = yes

    SASL authentication

    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options =
    smtp_tls_security_level = encrypt
    smtpd_tls_security_level = may
    smtpd_use_tls=yes
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2, !SSLv3
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtp_tls_protocols = !SSLv2, !SSLv3
    smtp_tls_loglevel = 1

    smtp_tls_security_level = none

    I generated the SSL using openssl, and have our pki server signed it.
    Can anyone help me out? Very appreciated. Thank you.

    by

    points

    Responses

    Red Hat

    Quick Links

    Help

    Site Info

    Related Sites

    © 2025 Red Hat, Inc.