LMTPS : TLS over LMTP not working

Stanislas SABATIER s.sabatier at pobox.com
Mon Nov 17 10:24:40 UTC 2014 

I setup a service in master.conf like this :

dovecotsandbox unix -       -       n       -       10       lmtp
  -o lmtp_send_xforward_command=yes
  -o lmtp_tls_security_level=encrypt

Then I tried to add starttls option :
  -o lmtp_tls_note_starttls_offer=yes

But Postfix still can't deliver the email. Postfix log :
(…) status=deferred (TLS is required, but was not offered by host xx.xx.xx.xx[xx.xx.xx.xx])



Le 17 nov. 2014 à 11:03, Reindl Harald <h.reindl at thelounge.net> a écrit :

> 
> Am 17.11.2014 um 10:58 schrieb Stanislas SABATIER:
>> Hello,
>> I tried to activate SSL on LMTP service, to secure connections between Postfix and Dovecot on my LAN, but Dovecot is not negociating a TLS session with Postfix.
>> If I enforce TLS for LMTP at Postfix's side,  communication between Postfix and Dovecot is not working.
>> 
>> I put
>>   ssl = yes
>>   ssl_cert = </dovecot/ssl/ssl-LMTP.pem
>>   ssl_key = </dovecot/ssl/ssl-LMTP.key
>> in section protocol LMTP within 20-lmtp.conf
>> 
>> and
>> service lmtp {
>>   inet_listener lmtp {
>>     name = dovecot_lmtp
>>     address = xx.xx.xx.xx
>>     port = 26
>>     ssl = yes
>>   }
>>   process_min_avail = 5
>> }
>> within 10-master.conf
>> 
>> Did I miss something?
> 
> did you configure postfix?
> postconf -d | grep tls
> 
> not sure if postfix prefers STARTTLS only (likely since the smtop-client also don't support wrapper mode and lmtp is more or less the same as smtp)
> 
> lmtp_enforce_tls = no
> lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
> lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
> lmtp_starttls_timeout = 300s
> lmtp_tls_CAfile =
> lmtp_tls_CApath =
> lmtp_tls_block_early_mail_reply = no
> lmtp_tls_cert_file =
> lmtp_tls_ciphers = export
> lmtp_tls_dcert_file =
> lmtp_tls_dkey_file = $lmtp_tls_dcert_file
> lmtp_tls_eccert_file =
> lmtp_tls_eckey_file = $lmtp_tls_eccert_file
> lmtp_tls_enforce_peername = yes
> lmtp_tls_exclude_ciphers =
> lmtp_tls_fingerprint_cert_match =
> lmtp_tls_fingerprint_digest = md5
> lmtp_tls_force_insecure_host_tlsa_lookup = no
> lmtp_tls_key_file = $lmtp_tls_cert_file
> lmtp_tls_loglevel = 0
> lmtp_tls_mandatory_ciphers = medium
> lmtp_tls_mandatory_exclude_ciphers =
> lmtp_tls_mandatory_protocols = !SSLv2
> lmtp_tls_note_starttls_offer = no
> lmtp_tls_per_site =
> lmtp_tls_policy_maps =
> lmtp_tls_protocols = !SSLv2
> lmtp_tls_scert_verifydepth = 9
> lmtp_tls_secure_cert_match = nexthop
> lmtp_tls_security_level =
> lmtp_tls_session_cache_database =
> lmtp_tls_session_cache_timeout = 3600s
> lmtp_tls_trust_anchor_file =
> lmtp_tls_verify_cert_match = hostname

More information about the dovecot mailing list