Correo saliente no encriptado

0

Tengo un dominio example.com que se sirve desde server.com. Estoy enviando un correo electrónico a gmail.com. El correo electrónico que envío utiliza TLS de example.com a server.com, pero el correo no está cifrado de server.com a gmail.com.

server.com es un VPS en el que configuré los servidores de correo y web.

example.com es uno de los dominios virtuales en el VPS.

Aquí hay un ejemplo de los encabezados de correo electrónico:

    Delivered-To: [email protected]
    Received: by 10.236.191.7 with SMTP id c7csp2141557pjs;
            Tue, 1 May 2018 14:03:37 -0700 (PDT)
    X-Google-Smtp-Source: AB8JxZpwQHXweJ70K6vNAako5gqTtvni9ZUm6LC0Hfl0xAefu7wtGjSsnQHRHMKL/sLpOnicPwFM
    X-Received: by 2002:a63:3584:: with SMTP id c126-v6mr14324018pga.37.1525208616991;
            Tue, 01 May 2018 14:03:36 -0700 (PDT)

...
...

    ARC-Authentication-Results: i=1; mx.google.com;
           spf=pass (google.com: domain of [email protected] designates xxx.xxx.xxx.xxx as permitted sender) [email protected]
    Return-Path: <[email protected]>
    Received: from server.com (server.com. [xxx.xxx.xxx.xxx])
            by mx.google.com with ESMTP id d65si10640010pfd.182.2018.05.01.14.03.36
            for <[email protected]>;
            Tue, 01 May 2018 14:03:36 -0700 (PDT)
    Received-SPF: pass (google.com: domain of [email protected] designates xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
    Authentication-Results: mx.google.com;
           spf=pass (google.com: domain of [email protected] designates xxx.xxx.xxx.xxx as permitted sender) [email protected]
    Received: from www.example.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server.com (Postfix) with ESMTPSA id 7D74260383 for <[email protected]>; Tue,
      1 May 2018 14:03:36 -0700 (PDT)
    MIME-Version: 1.0
    Content-Type: text/plain; charset=US-ASCII; format=flowed
    Content-Transfer-Encoding: 7bit
    Date: Tue, 01 May 2018 17:03:36 -0400
    From: [email protected]
    To: [email protected]
    Subject: Hello
    Message-ID: <[email protected]>
    X-Sender: [email protected]
    User-Agent: Roundcube Webmail/1.2.3

    Test email body.

¿Alguna idea de por qué se cae el cifrado?

EDITAR:

Mi salida postconf -n es:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
config_directory = /etc/postfix
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $myhostname, server.com, , localhost
myhostname = server.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/letsencrypt/live/server.com/chain.pem
smtp_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtp_tls_loglevel = 2
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/letsencrypt/live/server.com/chain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-valias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-vdomains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-vusers.cf
virtual_transport = dovecot

Y esta es mi salida postconf -M:

smtp       inet  n       -       y       -       -       smtpd
submission inet  n       -       n       -       -       smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       y       -       -       smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot    unix  -       n       n       -       -       pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

Y este es mi mail.log:

May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: initializing the server-side TLS engine
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: connect from localhost[127.0.0.1]
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: setting up TLS connection from localhost[127.0.0.1]
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH:!MD5:!DES:!ADH:!RC4:!PSD:!SRP:!3DES:!eNULL:!aNULL"
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:before SSL initialization
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:before SSL initialization
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read client hello
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server hello
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write certificate
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write key exchange
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server done
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server done
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read client key exchange
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read change cipher spec
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read finished
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: localhost[127.0.0.1]: Issuing session ticket, key expiration: 1525220445
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write session ticket
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write change cipher spec
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write finished
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: BAB6360383: client=localhost[127.0.0.1], sasl_method=LOGIN, [email protected]
May  1 16:50:46 hwsrv-230549 postfix/cleanup[29153]: BAB6360383: message-id=<[email protected]>
May  1 16:50:46 hwsrv-230549 postfix/qmgr[29077]: BAB6360383: from=<[email protected]>, size=745, nrcpt=1 (queue active)
May  1 16:50:46 hwsrv-230549 postfix/smtp[29154]: initializing the client-side TLS engine
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
May  1 16:50:47 hwsrv-230549 postfix/smtp[29154]: BAB6360383: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[74.125.197.26]:25, delay=0.65, delays=0.06/0.03/0.04/0.53, dsn=2.0.0, status=sent (250 2.0.0 OK 1525218647 p84si10342745pfa.180 - gsmtp)
May  1 16:50:47 hwsrv-230549 postfix/qmgr[29077]: BAB6360383: removed

¿Algunas ideas?

EDIT 2: intenté aumentar el nivel de registro a 4 y no proporcionó ninguna información adicional útil.

email postfix Dan
fuente

Respuestas:

1

La configuración de postfix anterior funciona. El problema era el host VPS. Me puse en contacto con el soporte técnico para ver si su firewall estaba bloqueando el puerto 587. Ellos respondieron con:

Tenga en cuenta que dado que todos los correos electrónicos que se envían desde nuestros servidores compartidos / VPS se descifran debido al filtrado SMTP saliente, esos correos electrónicos salen de nuestra red en forma descifrada.

En realidad, utilizamos MailChannels como nuestro filtro SMTP saliente. Esto evita que los mensajes que se considerarían como SPAM abandonen nuestra red.

Para resolver el problema, tuve que pagar $ 0.50 por mes para ser incluido en la lista blanca de MailChannels, y tuve que firmar un acuerdo anti-spam.

Dan
fuente