Postfix client submission using TLS

Question

I recently set up a Postfix mail server on Ubuntu to relay emails from my apps to Office365. Postfix to O365 works without problem but I also want my apps to connect to Postfix using TLS where possible.

I enabled port 465 under master.cf and added the following to my main.cf file:

# Server to Server
smtp_tls_security_level = encrypt
smtp_use_tls = yes
smtp_tls_note_starttls_offer=yes
smtp_tls_loglevel = 2
smtp_tls_key_file = /etc/ssl/private.key
smtp_tls_cert_file = /etc/ssl/relay_cert.cer
smtp_tls_CAfile = /etc/ssl/inter_cert.cer

relayhost = [domain-com.mail.protection.outlook.com]:25


# Client to Server
smtpd_tls_key_file = /etc/ssl/private.key
smtpd_tls_cert_file = /etc/ssl/relay_cert.cer
smtpd_tls_CAfile = /etc/ssl/inter_cert.cer
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

But when I try to send a test mail using SSL I get:

Send-MailMessage : The remote certificate is invalid according to the validation procedure.

In the Postfix logs, I don't get anything that would help:

lost connection after STARTTLS from server.domain.local[192.168.1.1]

The cert and intermediate cert seem fine, they work for the O365 communication, so I don't know what's going wrong.

Edit: connecting locally with openssl I was able to relay using ESMTPS, so possibly it's an issue with my Windows server.

openssl s_client -connect mailserver.domain.local:465 -starttls smtp

Answer 1

Finally worked out that it was just PowerShell being fussy about the SMTP server not matching the certificate.

So this won't work

Send-MailMessage -To [email protected] -from [email protected] -Subject 'test' -SmtpServer server.mydomain.local -UseSsl -Port 465

but this will:

Send-MailMessage -To [email protected] -from [email protected] -Subject 'test' -SmtpServer relay.domain.com -UseSsl -Port 465

Other apps don't seem to be as particular as PowerShell.