Find out if TLS is used when sending mail

So, I have an old installation of Debian, with postfix, and I don’t remember how I set it up. I should check that it is using sane settings and really using encryption for the transport of mails. This is on my Debian Jessie 8.7 server.
First, I wanted to see what version of postfix I am using.
Issuing postcond -d | grep mail_version yields the version 2.11.3..
So, according to the answers in this question, I should use the newer configuration options smtp_tls_security_level.
In the configuration that existed on the server, I didn’t have anything about smtp, only for smtpd (incoming mail). From logs obtained when running smtp with the options -v -v (Change the settings in /etc/postfix/master.cf and restart postfix):
Mar 2 16:30:17 galerkin postfix/smtp[15196]: > mail.tele2.se[212.247.156.1]:587: EHLO galerkin.hestben.dyndns-ip.com
Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-mailfe09.swip.net host name is unknown galerkin.hestben.dyndns-ip.com Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-DSN Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-SIZE 314572800 Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-STARTTLS Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-AUTH LOGIN PLAIN Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-ETRN Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-TURN Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-ATRN Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-NO-SOLICITING Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-8BITMIME Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-HELP Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-PIPELINING Mar 2 16:30:17 galerkin postfix/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250 EHLO

Then, it looks like it creates a TCP buffer with the login credentials, and then issues AUTH LOGIN:
Mar 2 16:30:17 galerkin postfix/smtp[15196]: smtp_sasl_authenticate: mail.tele2.se[212.247.156.1]:587: SASL mechanisms LOGIN PLAIN
Mar 2 16:30:17 galerkin postfix/smtp[15196]: > mail.tele2.se[212.247.156.1]:587: AUTH LOGIN

I.e. no encryption used, so I added smtp_tls_security_level=may to main.cf (you can also use postconf -e "smtp_tls_security_level=may")
Then reloaded postfix with
postfix reload
You can then verify that the setting is set with
postconf | grep smtp_tls_security_level.
Now the mail.log looks like:
Mar 3 15:11:41 galerkin postfix/pickup[22696]: 98D91232032: uid=0 from=
Mar 3 15:11:41 galerkin postfix/cleanup[22702]: 98D91232032: message-id=<20170303141141.98D91232032@galerkin.hestben.dyndns-ip.com>
Mar 3 15:11:41 galerkin postfix/qmgr[22697]: 98D91232032: from=, size=359, nrcpt=1 (queue active)
Mar 3 15:11:42 galerkin postfix/smtp[22704]: Untrusted TLS connection established to mail.tele2.se[212.247.156.1]:587: TLSv1 with cipher AES256-SHA (256/256 bits)
Mar 3 15:11:43 galerkin postfix/smtp[22704]: 98D91232032: to=, relay=mail.tele2.se[212.247.156.1]:587, delay=2.2, delays=0.31/0.3/0.5/1.1, dsn=2.0.0, status=sent (250 549908680 mailfe03 Message accepted for delivery)
Mar 3 15:11:43 galerkin postfix/qmgr[22697]: 98D91232032: removed

So, now you could hope tele2 would change to a better cipher with perfect forward secrecy (such as ECDHE-RSA-AES256-GCM-SHA384). Reading through the reference below about postfix forward secrecy, it also looks like the server does not support anonymous cipher suites =(.

Now, check incoming mail. The setting for the incoming mail which is called smtpd_tls_security_level. I had previously used smtpd_use_tls=yes so I changed to the newer setting. I sent a mail to my server (there is only a dyndns-ip configured for it, I use an external email provider for my hestben.se-domain).
The log from that looks like this:
Mar 3 15:29:33 galerkin postfix/smtpd[22788]: connect from mx.kolabnow.com[95.128.36.1]
Mar 3 15:29:33 galerkin postfix/smtpd[22788]: Anonymous TLS connection established from mx.kolabnow.com[95.128.36.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 15:29:33 galerkin postfix/smtpd[22788]: A0EC523202F: client=mx.kolabnow.com[95.128.36.1]
Mar 3 15:29:33 galerkin postfix/cleanup[22793]: A0EC523202F: message-id=<20170303142924.GB4898@debian.hestben.dyndns-ip.com>

Super, it is even using a good cipher.

References : postfix forward secrecy, postfix tls readme, postfix main.cf format.

Leave a Reply

Your email address will not be published. Required fields are marked *