Help! TLS on Postfix

[thomasfoskolos]

Hello guys, 

I am new to the forum and usually i try to search a lot before asking for help.
Now my problem is basically the red lock icon you see on your gmail account saying "this message was not encrypted"
I have tried numerous things and maybe some of you guys can help me out.

My sentora panel is located at cohst81n2b.domain.gr (i dont post my actual sentora panel url for obvious reasons)
My domain is thomasfoskolos.gr
I have set up my MX record to cohst81n2b.domain.gr

I have set up /etc/postfix/master.cf and /etc/postfix/main.cf 

When i use checktls.com "email TO:" tool everything seems ok and i get this. 

http://imgur.com/xgJN3WK

But when i try checktls.com "email FROM:" tool i get this reply message.

Code:

FAILED CheckTLS/email/test/From: result

from: <me@thomasfoskolos.gr>
via: [XXXXXXXXXXXX]
on: 2017-04-06 14:26:48 EDT
Subject: hw4kggch2mpr6
Your email was sent, however it was NOT SENT SECURELY using TLS.

(this email intentionally has limited formatting)


The transcript of the eMail SMTP session is below, with:
--> this is a line from your email system to us (~~> when encrypted)
<-- this is a line to your email system from us (<~~ when encrypted)
=== this is a line about the tls negotiation (cypher, cert, etc)
*** this is an error, warning, or info line that the test found

<-- 220 ts4.checktls.com ESMTP TestSender Thu, 06 Apr 2017 14:26:46 -0400
--> EHLO cohst81n2b.domain.gr
<-- 250-ts4.checktls.com Hello  [XXXXXXXXXXXX], pleased to meet you
<-- 250-ENHANCEDSTATUSCODES
<-- 250-8BITMIME
<-- 250-STARTTLS
<-- 250 HELP
--> MAIL FROM:<me@thomasfoskolos.gr>
<-- 250 Ok - mail from me@thomasfoskolos.gr
--> RCPT TO:<test@TestSender.CheckTLS.com>
<-- 250 Ok - recipient test@TestSender.CheckTLS.com
--> DATA
<-- 354 Send data.  End with CRLF.CRLF
--> Received: from webmail.thomasfoskolos.gr (localhost.localdomain [127.0.0.1])
-->     (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
-->     (No client certificate requested)
-->     by cohst81n2b.domain.gr (Postfix) with ESMTPSA id 2356D200B8E
-->     for <test@TestSender.CheckTLS.com>; Thu,  6 Apr 2017 21:26:46 +0300 (EEST)
--> MIME-Version: 1.0
--> Content-Type: multipart/alternative;
-->  boundary="=_43a20c16ead6fb7754fd3b7e9cfc7276"
--> Date: Thu, 06 Apr 2017 21:26:46 +0300
--> From: me@thomasfoskolos.gr
--> To: test@TestSender.CheckTLS.com
--> Subject: hw4kggch2mpr6
--> Message-ID: <1879cc67eced0ca16cc191c527652cd9@thomasfoskolos.gr>
--> X-Sender: me@thomasfoskolos.gr
--> User-Agent: Roundcube Webmail/1.0.4
-->
--> --=_43a20c16ead6fb7754fd3b7e9cfc7276
--> Content-Transfer-Encoding: 7bit
--> Content-Type: text/plain; charset=US-ASCII
-->
-->  
-->
--> this is a test
--> --=_43a20c16ead6fb7754fd3b7e9cfc7276
--> Content-Transfer-Encoding: quoted-printable
--> Content-Type: text/html; charset=UTF-8
-->
--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
--> <html><body style=3D'font-size: 10pt; font-family: Verdana,Geneva,sans-seri=
--> f'>
--> <p>this is a test</p>
--> </body></html>
-->
--> --=_43a20c16ead6fb7754fd3b7e9cfc7276--
-->
--> .
<-- 250 Ok
--> QUIT
<-- 221 ts4.checktls.com closing connection
SPF results: code="none", local="thomasfoskolos.gr: No applicable sender policy available"
DKIM verify: "none"

It seems my server does not issue the STARTTLS command.
Below are my Main.cf and Master.cf files and my OS is Centos 7

Main.cf

Code:

# postfix config file

# uncomment for debugging if needed
soft_bounce=yes

# postfix main
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4

# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.2/samples
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES

# network settings
inet_interfaces = all
mydomain = cohst81n2b.domain.gr
myhostname = cohst81n2b.domain.gr
myorigin = $myhostname
mynetworks = 127.0.0.1, XXXXXXXXXXXX
mydestination = localhost.$mydomain, localhost
relay_domains = proxy:mysql:/etc/sentora/configs/postfix/mysql-relay_domains_map                                                                                                                                                             s.cf

# mail delivery
recipient_delimiter = +

# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

#transport_maps

= hash:/etc/postfix/transport

#local_recipient_maps

=

# virtual setup
virtual_alias_maps = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual_alia                                                                                                                                                             s_maps.cf,
                    regexp:/etc/sentora/configs/postfix/virtual_regexp
virtual_mailbox_base = /var/sentora/vmail
virtual_mailbox_domains = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual                                                                                                                                                             _domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual_ma                                                                                                                                                             ilbox_maps.cf
virtual_mailbox_limit_maps = proxy:mysql:/etc/sentora/configs/postfix/mysql-virt                                                                                                                                                             ual_mailbox_limit_maps.cf
virtual_minimum_uid = 997
virtual_uid_maps = static:997
virtual_gid_maps = static:997
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

# debugging
debug_peer_level = 2
debugger_command =
        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
        xxgdb $daemon_directory/$process_name $process_id & sleep 5

# authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# tls config

#smtp_use_tls

= no

#smtpd_use_tls

= no

#smtp_tls_note_starttls_offer

= yes

#smtpd_tls_loglevel

= 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
# Change mail.example.com.* to your host name

#smtpd_tls_key_file

= /etc/pki/tls/private/mail.example.com.key

#smtpd_tls_cert_file

= /etc/pki/tls/certs/mail.example.com.crt
# smtpd_tls_CAfile = /etc/pki/tls/root.crt


#thomas
# SMTP

#smtp_use_tls

= yes
smtp_enforce_tls = yes
smtp_tls_security_level = may

#smtp_tls_note_starttls_offer

= yes

#smtp_tls_loglevel

= 3



# STMPD
#smtpd_use_tls=yes
smtpd_enforce_tls = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1

#smtpd_tls_received_header

= yes

#smtpd_tls_auth_only

= yes

### path to certificate and key file
smtpd_tls_cert_file = /etc/letsencrypt/live/cohst81n2b.domain.gr/fullchain.pem                                                                                                                                                            
smtpd_tls_key_file = /etc/letsencrypt/live/cohst81n2b.domain.gr/privkey.pem

#end

Thomas





# rules restrictions
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions = permit_sasl_authenticated,
       permit_mynetworks,
       reject_unauth_destination,
       reject_non_fqdn_sender,
       reject_non_fqdn_recipient,
       reject_unknown_recipient_domain
# uncomment for realtime black list checks. (Warn: will also reject false positi                                                                                                                                                             ve)
#       ,reject_rbl_client zen.spamhaus.org
#       ,reject_rbl_client bl.spamcop.net
#       ,reject_rbl_client dnsbl.sorbs.net

smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_banner = $myhostname ESMTP

message_size_limit = 20480000

Master.cf

Code:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ***** Unused items removed *****
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
submission   inet  n       -       n       -       -       smtpd


#  -o content_filter=smtp-amavis:127.0.0.1:10024
#  -o receive_override_options=no_address_mappings
pickup    fifo  n       -       n       60      1       pickup
 -o content_filter=
 -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr

#qmgr

    fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
       -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
# ====================================================================
maildrop  unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
 flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
# spam/virus section
#
smtp-amavis  unix  -    -       y       -       2       smtp
 -o smtp_data_done_timeout=1200
 -o disable_dns_lookups=yes
 -o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n  -       y       -       -       smtpd
 -o content_filter=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o mynetworks=127.0.0.0/8
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000
 -o receive_override_options=no_header_body_checks
 -o smtpd_bind_address=127.0.0.1
 -o smtpd_helo_required=no
 -o smtpd_client_restrictions=
 -o smtpd_restriction_classes=
 -o disable_vrfy_command=no
 -o strict_rfc821_envelopes=yes
#
# Dovecot LDA
dovecot   unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
#
# Vacation mail
vacation    unix  -       n       n       -       -       pipe
 flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient}

Thanks in advance,
Thomas

[thomasfoskolos]

Bump!
At least any of you guys can help me on how to troubleshoot this?
For some reason i don't see any log file on /var/log/ named mail.log

Thx in advance,
Thomas

[Ron-e]

Just guessing, maybe your  reverse MX records (ptr).
Https://intodns.com/thomasfoskolos.gr
Maybe also spf records?

[thomasfoskolos]

Just guessing, maybe your  reverse MX records (ptr).
Https://intodns.com/thomasfoskolos.gr
Maybe also spf records?

Thank you for your quick reply Ron-e.

I use cloudflare for my nameservers so i doubt i can do anything about that, but also i dont see how this may affect my mail encryption.

SPF records are for telling who is allowed to send email from my domain. I can send and receive mails. The only problem is with their encryption.

[Qtech]

This might help.
http://forums.sentora.org/showthread.php...figuration