TLS authentication issues with Outlook + Dovecot + Postfix + CentOS

Issues related to applications and software problems
Post Reply
Posts: 1
Joined: 2022/04/18 20:21:50

TLS authentication issues with Outlook + Dovecot + Postfix + CentOS

Post by axxis_inf » 2022/04/18 20:30:57

I hope you are well! I'm new with unmanaged VPS and I'm running a Contabo server with CentOS 8 and AaPanel my problem is with the SMTP connection with Outlook, my server is only accepting SMPT connections with STARTTLS or without any kind of encryption, but I would like to accept connections with TLS, I'm using Postfix and Dovecot for email management, I'm attaching my configuration files, thank you all in advance.

NOTE: POP3 and IMAP are working perfectly; SMTP also, but in 587 port without cryptography; I had to remove some commented lines to be able to post the question here.

The problem that I can't connect with tls. I would like to send email through outlook for example, using port 587 with Tls. I would also like to send and receive using outlook forwarding service, but it doesn't work or doesn't finish the wizard setup. in the links below you have the prints of most of the information that I managed to collect. If you can take a look I would appreciate it.

Error log prints:


Code: Select all

protocols = imap pop3 lmtp

#listen = *, ::

#base_dir = /var/run/dovecot/

#instance_name = dovecot

# Greeting message for clients.
#login_greeting = Dovecot ready.

#login_trusted_networks =

# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets = 

#auth_proxy_self =

#verbose_proctitle = no

#shutdown_clients = yes

#doveadm_socket_path = doveadm-server

#import_environment = TZ

dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext

namespace inbox {
  inbox = yes

  mailbox Trash {
    auto = subscribe # autocreate and autosubscribe the Trash mailbox
    special_use = \Trash
  mailbox Sent {
    auto = subscribe # autocreate and autosubscribe the Sent mailbox
    special_use = \Sent
  mailbox Junk {
    auto = subscribe # autocreate and autosubscribe the Sent mailbox
    special_use = \Junk
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts

!include conf.d/*.conf

!include_try local.conf

Code: Select all

compatibility_level = 2

#soft_bounce = no

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

#default_privs = nobody

#myhostname = host.domain.tld
#myhostname = virtual.domain.tld

#mydomain = domain.tld

#myorigin = $myhostname
#myorigin = $mydomain


#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = all

# Enable IPv4, and IPv6 if supported
#inet_protocols = ipv4

#proxy_interfaces =
#proxy_interfaces =

mydestination = 
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
#   mail.$mydomain, www.$mydomain, ftp.$mydomain

#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =

unknown_local_recipient_reject_code = 550

#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host

#mynetworks =,
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table

#relay_domains = $mydestination


#relayhost = $mydomain
#relayhost = []
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]

#relay_recipient_maps = hash:/etc/postfix/relay_recipients

#in_flow_delay = 1s

#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases

#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases

#recipient_delimiter = +

#home_mailbox = Mailbox
#home_mailbox = Maildir/

#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail

#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"

#mailbox_transport = cyrus

#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =

#luser_relay = $
#luser_relay = $
#luser_relay = admin+$local

#header_checks = regexp:/etc/postfix/header_checks

#fast_flush_domains = $relay_domains

#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20

debug_peer_level = 2

#debug_peer_list =
#debug_peer_list = some.domain

debugger_command =
     ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
sample_directory = /usr/share/doc/postfix3-3.4.9/samples

# readme_directory: The location of the Postfix README files.
readme_directory = /usr/share/doc/postfix3-3.4.9/README_FILES
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
myhostname =
virtual_mailbox_domains = sqlite:/etc/postfix/
virtual_alias_maps= sqlite:/etc/postfix/
virtual_mailbox_maps = sqlite:/etc/postfix/, sqlite:/etc/postfix/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_use_tls = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_milters = inet:
non_smtpd_milters = inet:
#Adicionados 2 linhas proximas
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
milter_default_action = accept
message_size_limit = 102400000

smtp_tls_CAfile = /root/rootCACert.pem
smtpd_tls_CAfile = /root/rootCACert.pem
smtpd_tls_key_file = /www/server/panel/plugin/mail_sys/cert/
smtpd_tls_cert_file = /www/server/panel/plugin/mail_sys/cert/
#smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param

#ssl_cert = < /www/server/panel/plugin/mail_sys/cert/
#ssl_key = < /www/server/panel/plugin/mail_sys/cert/

#smtpd_tls_chain_files = /etc/pki/dovecot/private/dovecot.pem,/etc/pki/dovecot/certs#/dovecot.pem
#tls_server_sni_maps = hash:/etc/postfix/

Code: Select all

smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
# Comentamos -o smtpd_tls_security_level=may
# Quando eu altero a linha abaixo o Outlook para .
 -o smtpd_enforce_tls=no
 -o smtpd_tls_security_level=
 -o smtpd_tls_auth_only=no
# -o smtpd_sasl_auth_enable=yes
#COmentamos  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  Original -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# Original Comentamos  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

Posts: 1361
Joined: 2013/09/06 03:12:10

Re: TLS authentication issues with Outlook + Dovecot + Postfix + CentOS

Post by Whoever » 2022/04/18 23:40:24

What does Postfix's log say about the failed connection?

If connecting to port 587, you probably need to use "-starttls smtp" in your openssl command:

Code: Select all

openssl s_client -connect -starttls smtp
140037073183936:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 287 bytes and written 359 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Also, this is problematic:

Code: Select all

smtp_tls_CAfile = /root/rootCACert.pem
smtpd_tls_CAfile = /root/rootCACert.pem
The webserver process should not be able to access anything in /root. You need to move these files somewhere that the webserver process can access them.

Post Reply