Tengo un dominio example.com que se sirve desde server.com. Estoy enviando un correo electrónico a gmail.com. El correo electrónico que envío utiliza TLS de example.com a server.com, pero el correo no está cifrado de server.com a gmail.com.
server.com es un VPS en el que configuré los servidores de correo y web.
example.com es uno de los dominios virtuales en el VPS.
Aquí hay un ejemplo de los encabezados de correo electrónico:
Delivered-To: receiver@gmail.com
Received: by 10.236.191.7 with SMTP id c7csp2141557pjs;
Tue, 1 May 2018 14:03:37 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpwQHXweJ70K6vNAako5gqTtvni9ZUm6LC0Hfl0xAefu7wtGjSsnQHRHMKL/sLpOnicPwFM
X-Received: by 2002:a63:3584:: with SMTP id c126-v6mr14324018pga.37.1525208616991;
Tue, 01 May 2018 14:03:36 -0700 (PDT)
...
...
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of sender@example.com designates xxx.xxx.xxx.xxx as permitted sender) smtp.mailfrom=sender@example.com
Return-Path: <sender@example.com>
Received: from server.com (server.com. [xxx.xxx.xxx.xxx])
by mx.google.com with ESMTP id d65si10640010pfd.182.2018.05.01.14.03.36
for <receiver@gmail.com>;
Tue, 01 May 2018 14:03:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of sender@example.com designates xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of sender@example.com designates xxx.xxx.xxx.xxx as permitted sender) smtp.mailfrom=sender@example.com
Received: from www.example.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server.com (Postfix) with ESMTPSA id 7D74260383 for <receiver@gmail.com>; Tue,
1 May 2018 14:03:36 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 01 May 2018 17:03:36 -0400
From: sender@example.com
To: receiver@gmail.com
Subject: Hello
Message-ID: <93768232f2ddc3a08237397@example.com>
X-Sender: sender@example.com
User-Agent: Roundcube Webmail/1.2.3
Test email body.
¿Alguna idea de por qué se cae el cifrado?
EDITAR:
Mi salida postconf -n es:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
config_directory = /etc/postfix
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $myhostname, server.com, , localhost
myhostname = server.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/letsencrypt/live/server.com/chain.pem
smtp_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtp_tls_loglevel = 2
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/letsencrypt/live/server.com/chain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-valias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-vdomains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-vusers.cf
virtual_transport = dovecot
Y esta es mi salida postconf -M:
smtp inet n - y - - smtpd
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
Y este es mi mail.log:
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: initializing the server-side TLS engine
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: connect from localhost[127.0.0.1]
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: setting up TLS connection from localhost[127.0.0.1]
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH:!MD5:!DES:!ADH:!RC4:!PSD:!SRP:!3DES:!eNULL:!aNULL"
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:before SSL initialization
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:before SSL initialization
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read client hello
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server hello
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write certificate
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write key exchange
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server done
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server done
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read client key exchange
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read change cipher spec
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read finished
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: localhost[127.0.0.1]: Issuing session ticket, key expiration: 1525220445
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write session ticket
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write change cipher spec
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write finished
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: BAB6360383: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=sender@example.com
May 1 16:50:46 hwsrv-230549 postfix/cleanup[29153]: BAB6360383: message-id=<484bdbb907f3858ba851028998@example.com>
May 1 16:50:46 hwsrv-230549 postfix/qmgr[29077]: BAB6360383: from=<sender@example.com>, size=745, nrcpt=1 (queue active)
May 1 16:50:46 hwsrv-230549 postfix/smtp[29154]: initializing the client-side TLS engine
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
May 1 16:50:47 hwsrv-230549 postfix/smtp[29154]: BAB6360383: to=<receiver@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.197.26]:25, delay=0.65, delays=0.06/0.03/0.04/0.53, dsn=2.0.0, status=sent (250 2.0.0 OK 1525218647 p84si10342745pfa.180 - gsmtp)
May 1 16:50:47 hwsrv-230549 postfix/qmgr[29077]: BAB6360383: removed
¿Algunas ideas?
EDIT 2: intenté aumentar el nivel de registro a 4 y no proporcionó ninguna información adicional útil.