0

I recently set up a Postfix mail server on Ubuntu to relay emails from my apps to Office365. Postfix to O365 works without problem but I also want my apps to connect to Postfix using TLS where possible.

I enabled port 465 under master.cf and added the following to my main.cf file:

# Server to Server
smtp_tls_security_level = encrypt
smtp_use_tls = yes
smtp_tls_note_starttls_offer=yes
smtp_tls_loglevel = 2
smtp_tls_key_file = /etc/ssl/private.key
smtp_tls_cert_file = /etc/ssl/relay_cert.cer
smtp_tls_CAfile = /etc/ssl/inter_cert.cer

relayhost = [domain-com.mail.protection.outlook.com]:25


# Client to Server
smtpd_tls_key_file = /etc/ssl/private.key
smtpd_tls_cert_file = /etc/ssl/relay_cert.cer
smtpd_tls_CAfile = /etc/ssl/inter_cert.cer
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

But when I try to send a test mail using SSL I get:

Send-MailMessage : The remote certificate is invalid according to the validation procedure.

In the Postfix logs, I don't get anything that would help:

lost connection after STARTTLS from server.domain.local[192.168.1.1]

The cert and intermediate cert seem fine, they work for the O365 communication, so I don't know what's going wrong.

Edit: connecting locally with openssl I was able to relay using ESMTPS, so possibly it's an issue with my Windows server.

openssl s_client -connect mailserver.domain.local:465 -starttls smtp
2
  • Why does the validation procedure find the remote certificate invalid?
    – Paul
    Commented Jun 13 at 11:34
  • That's what I'm trying to find out but increased logging on both sides doesn't give me anything other than what's written in my question.
    – smwk
    Commented Jun 13 at 11:36

1 Answer 1

1

Finally worked out that it was just PowerShell being fussy about the SMTP server not matching the certificate.

So this won't work

Send-MailMessage -To [email protected] -from [email protected] -Subject 'test' -SmtpServer server.mydomain.local -UseSsl -Port 465

but this will:

Send-MailMessage -To [email protected] -from [email protected] -Subject 'test' -SmtpServer relay.domain.com -UseSsl -Port 465

Other apps don't seem to be as particular as PowerShell.

2
  • What if any "other apps" besides openssl commandline? That doesn't verify name in server cert by default; you need to specify an option per the man page. But RFC 3207 4.1 says an SMTP client "would probably want" the correct domain name. Commented Jun 13 at 23:05
  • Tree Size Pro to name the first app I tried. If an app doesn't bother with client submission on port 587 they probably aren't too bothered about RFCs either.
    – smwk
    Commented Jun 13 at 23:21

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .