We've had a customer call us to say they couldn't send us email and that they suspected it was related to our server not responding to allowing TLS on the inbound connection. I checked our server with the mxtoolbox.com tests and this does indicate that SMTP TLS is not supported. Our firewall has port 587 configured along with port 25 and 993 to port-forward (inbound) to our Zimbra server.
I have tried to find more information, including within the Zimbra wiki and forum posts, on the correct commands to check and configure this, but have not found very much that matches precisely.
So far, the closest match I found has been https://wiki.zimbra.com/wiki/Outgoing_S ... Enable_TLS. Though this is confusing that the Zimbra wiki titles this only for Outgoing connections rather than Incoming (or possibly both directions). (The command corroborated by an independent blogger: https://dilliganesh.wordpress.com/2015/ ... in-zimbra/)
I have run the command
Code: Select all
zmprov ms zimbra1.copeohs.com zimbraMtaSmtpTlsSecurityLevel may
Telnetting to the server and running ehlo against it (to same server) responds with 250-STARTTLS among the other 250 responses.
However, running mxtoolbox.com test again still indicates SMTP TLS is not available.
What am I doing wrong?
Version info: Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.
UPDATE: We have just a single server deployment. (Sorry this is a fairly long post, but I'm clearly not getting/understanding something correctly, so any help/pointers is greatly appreciated.)
I used telnet from an external connection against our server, first testing port 25 (as that's what mxtoolbox.com or similar services uses) and then also when connecting to port 587 (outputs below). I don't know why Zimbra doesn't offer STARTTLS when doing the test over port 25.
Output of test via port 25, which doesn't show the STARTTLS option:
Code: Select all
[alec@quietmonster ~]$ telnet zimbra1.copeohs.com 25
Trying 91.151.8.53...
Connected to zimbra1.copeohs.com.
Escape character is '^]'.
220 zimbra1.copeohs.com ESMTP Postfix
ehlo PWS3.mxtoolbox.com
250-zimbra1.copeohs.com
250-SIZE 47185920
250-VRFY
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
Code: Select all
[alec@quietmonster ~]$ telnet zimbra1.copeohs.com 587
Trying 91.151.8.53...
Connected to zimbra1.copeohs.com.
Escape character is '^]'.
220 zimbra1.copeohs.com ESMTP Postfix
ehlo PWS3.mxtoolbox.com
250-zimbra1.copeohs.com
250-PIPELINING
250-SIZE 47185920
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
Code: Select all
220 zimbra1.copeohs.com ESMTP Postfix
EHLO PWS3.mxtoolbox.com
250-zimbra1.copeohs.com
250-PIPELINING
250-SIZE 47185920
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Within the Zimbra admin web console (Configure -> Global -> MTA) we have both "Enable authentication" and "TLS authentication only" ticked. These are also ticked under the individual (only) server config (Configure -> Servers -> [our Zimbra server] -> MTA).
Taking diagnostic steps from https://wiki.zimbra.com/wiki/SMTP_Auth_Problems, our Authorisation settings are:
Code: Select all
...@zimbra1:~$ sudo su - zimbra -c "zmprov getServer zimbra1.copeohs.com | grep Auth"
zimbraAuthTokenNotificationInterval: 60000
zimbraLowestSupportedAuthVersion: 2
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthTarget: TRUE
zimbraMtaBrokenSaslAuthClients: yes
zimbraMtaSaslAuthEnable: yes
zimbraMtaSmtpSaslAuthEnable: no
zimbraMtaSmtpdSaslAuthenticatedHeader: no
zimbraMtaTlsAuthOnly: TRUE
zimbraShareNotificationMtaAuthRequired: FALSE
Code: Select all
...@zimbra1:~$ sudo su - zimbra -c "zmprov getServer zimbra1.copeohs.com | grep Mode"
zimbraBackupMode: Standard
zimbraCBPolicydBypassMode: tempfail
zimbraIPMode: ipv4
zimbraMailMode: redirect
zimbraMailReferMode: reverse-proxied
zimbraMailSSLClientCertMode: Disabled
zimbraOpenidConsumerStatelessModeEnabled: TRUE
zimbraReverseProxyClientCertMode: off
zimbraReverseProxyImapStartTlsMode: only
zimbraReverseProxyMailMode: https
zimbraReverseProxyPop3StartTlsMode: on
UPDATE #2 Friday 27th Oct '17.smtpd_helo_required = yes
in_flow_delay = 1s
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
smtpd_sasl_security_options = noanonymous
address_verify_positive_refresh_time = 12h
default_process_limit = 100
smtpd_tls_ask_ccert = no
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
smtpd_error_sleep_time = 1s
smtpd_tls_ccert_verifydepth = 9
lmtp_tls_security_level = may
smtp_tls_CApath =
smtpd_tls_loglevel = 1
smtpd_reject_unlisted_sender = yes
smtpd_data_restrictions = reject_unauth_pipelining
address_verify_poll_delay = 3s
lmtp_host_lookup = native
lmtp_tls_loglevel = 0
smtpd_banner = $myhostname ESMTP $mail_name
lmtp_tls_ciphers = export
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtp_sasl_security_options = noplaintext,noanonymous
mail_owner = postfix
smtp_tls_ciphers = export
delay_warning_time = 0h
bounce_queue_lifetime = 5d
smtpd_tls_auth_only = yes
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
mailbox_size_limit = 0
notify_classes = resource, software
bounce_notice_recipient = postmaster
smtp_sasl_auth_enable = no
lmtp_tls_protocols = !SSLv2, !SSLv3
mynetworks = 127.0.0.0/8 10.0.0.0/24 [::1]/128 [fe80::]/64
message_size_limit = 47185920
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
newaliases_path = /opt/zimbra/postfix/sbin/newaliases
smtp_helo_name = $myhostname
mailq_path = /opt/zimbra/postfix/sbin/mailq
address_verify_poll_count = ${stress?3}${stress:5}
smtp_tls_loglevel = 0
myhostname = zimbra1.copeohs.com
smtpd_sasl_auth_enable = yes
virtual_alias_expansion_limit = 10000
mydestination = localhost
smtpd_client_port_logging = no
relayhost =
header_checks =
smtp_sasl_password_maps =
smtpd_tls_CAfile =
smtpd_tls_security_level = may
inet_protocols = ipv4
import_environment =
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_reci$
max_use = 100
broken_sasl_auth_clients = yes
milter_content_timeout = 300s
disable_dns_lookups = no
minimal_backoff_time = 300s
recipient_delimiter =
unverified_recipient_defer_code = 250
command_directory = /opt/zimbra/postfix/sbin
queue_directory = /opt/zimbra/data/postfix/spool
smtp_tls_mandatory_ciphers = medium
smtpd_sender_login_maps = proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
lmtp_connection_cache_destinations =
content_filter = smtp-amavis:[127.0.0.1]:10024
queue_run_delay = 300s
lmtp_tls_mandatory_ciphers = medium
smtp_generic_maps =
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
milter_connect_timeout = 30s
milter_default_action = tempfail
address_verify_negative_refresh_time = 10m
lmtp_tls_exclude_ciphers =
smtpd_end_of_data_restrictions =
sendmail_path = /opt/zimbra/postfix/sbin/sendmail
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
smtp_tls_security_level = may
smtpd_tls_mandatory_ciphers = medium
lmtp_tls_CAfile =
manpage_directory = /opt/zimbra/postfix/man
smtpd_milters =
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access regexp:/opt/zimbra/postfix/conf/$
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_CApath =
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
smtpd_soft_error_limit = 10
setgid_group = postdrop
smtp_fallback_relay =
lmtp_tls_CApath =
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
smtp_cname_overrides_servername = no
smtpd_proxy_timeout = 100s
alias_maps = lmdb:/etc/aliases
propagate_unmatched_extensions = canonical
smtp_sasl_mechanism_filter =
milter_command_timeout = 30s
non_smtpd_milters =
daemon_directory = /opt/zimbra/postfix/libexec
smtpd_tls_ciphers = export
smtpd_client_restrictions = reject_unauth_pipelining
lmdb_map_size = 16777216
smtpd_sasl_authenticated_header = no
smtpd_hard_error_limit = 20
maximal_backoff_time = 4000s
smtp_tls_CAfile =
smtpd_reject_unlisted_recipient = yes
smtpd_tls_protocols = !SSLv2, !SSLv3
tls_append_default_CA = no
virtual_transport = error
sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
always_add_missing_headers = yes
lmtp_connection_cache_time_limit = 4s
smtpd_tls_exclude_ciphers =
Ok, so I've continued researching this. I have determined that for postfix, smtp_tls_* control properties relate to outbound connections and smtpd_tls_* relate to inbound.
Sources:
Initially spotted comment about it here: https://bugzilla.mozilla.org/show_bug.cgi?id=956714#c4
and then confirmed here: http://www.postfix.org/TLS_README.html#how.
Within that same postfix TLS Readme page are references to the settings we see Zimbra controlling for us via the admin console (seems only some are controllable through this) and zmprov and similar CLI commands.
In particular to my original question, the property described at http://www.postfix.org/TLS_README.html#server_enable shows that the setting "smtpd_tls_security_level = may" is the one that controls advertising Opportunistic TLS, aka STARTTLS.
Re-examining my main.cf file, this property is definitely set with the "may" option (now highlighted with bold above).
Can anyone suggest why our public inbound port 25 connection (telnet zimbra1.copeohs.com 25 -> ehlo blah) currently will NOT advertise the STARTTLS option?