Results 1 to 3 of 3

Thread: TLS disabled in Postfix smtp client after install & upgrade (smtp_tls_security_level)

  1. #1
    Join Date
    May 2010
    Rep Power

    Default TLS disabled in Postfix smtp client after install & upgrade (smtp_tls_security_level)

    I can't for the life of me understand why ZCS does not ship with the following Postfix configuration option set to "may" and why it is cleared after an upgrade!
    zimbra@host:~$ postconf smtp_tls_security_level
    smtp_tls_security_level =
    zimbra@host:~$ zmlocalconfig postfix_smtp_tls_security_level
    Warning: null valued key 'postfix_smtp_tls_security_level'
    I'd file a bug report but want to make sure other users experience this as well.
    Or is there a good reason for SENDING ALL OUTGOING EMAIL IN CLEARTEXT even if the receiving smtpd server supports SSL / TLS ?
    Is this happening for anyone else?
    Is it like this only in the OSE?

    To enable opportunistic TLS for the Postfix SMTP client (smtp):
    zimbra@host:~$ zmlocalconfig -e postfix_smtp_tls_security_level=may
    zimbra@host:~$ postconf -e smtp_tls_CAfile=/opt/zimbra/zimbramon/lib/Mozilla/CA/cacert.pem
    zimbra@host:~$ postconf -e smtp_tls_loglevel=1
    The first line above enables opportunistic TLS, i.e. if the receiving smtpd server supports TLS/SSL, message delivery to that server will be encrypted, otherwise it will be sent in cleartext - hence opportunistic.
    Note: Zimbra's config (re)writer recognises this configuration option and will transpose it in to (after removing the postfix_ prefix) and reload postfix configuration automatically.
    The second line isn't strictly needed but should be executed so that Postfix can 'trust' other smtpd server's certificates (looks better in logs). If it can't 'trust' them, encryption still occurs but as 'untrusted'.
    The third line, so you can monitor /var/log/zimbra.log to make sure TLS is being used on outgoing emails.
    Note: The latter configuration options are NOT recognised by Zimbra's config (re)writer hence why you must use postconf rather than zmlocalconfig - which means you'll have to do this all over again after upgrade - until this is fixed!

    You should now see this in your logs when you send an email from ZCS:

    May 13 12:11:10 host postfix/smtp[1234]: Trusted TLS connection established to[xx.xx.xx.xx]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
    Am I going mad?

  2. #2
    Join Date
    May 2007
    Rep Power


    You fail to state a ZCS version. postfix_smtp_tls_security_level is a localconfig key is ZCS 8.0.

    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    Join Date
    May 2010
    Rep Power


    Sorry - have added version to signature. Upgrade was from ZCS OSE 7.2.3.

    postfix_smtp_tls_security_level is a localconfig key is ZCS 8.0.
    I realise this but one would have thought that opportunistic TLS would be enabled by default.
    The smtp_tls_CAfile config variable is also blank by default which really should contain a CA bundle to verify server certificates.
    I had a hunt around /opt/zimbra and there are a few CA bundles floating around but surprisingly none in the ssl/ directory.

    Last edited by nix; 05-14-2013 at 04:39 AM.
    Release 8.0.3.GA.5664.UBUNTU12.64 UBUNTU12_64 FOSS edition.

Similar Threads

  1. Replies: 0
    Last Post: 05-12-2013, 10:51 PM
  2. Zimbra Web Client on Postfix or Exim4
    By Naspar in forum Installation
    Replies: 7
    Last Post: 11-03-2010, 04:32 AM
  3. SMTP authentication for zimbra postfix
    By Vivek k c in forum Administrators
    Replies: 14
    Last Post: 11-18-2008, 07:37 PM
  4. Changing postfix smtp
    By Henrik in forum Administrators
    Replies: 0
    Last Post: 10-09-2006, 05:06 AM
  5. postfix/smtp timeout
    By ggpanta in forum Administrators
    Replies: 5
    Last Post: 10-03-2006, 06:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts