{"id":110,"date":"2017-03-06T09:35:03","date_gmt":"2017-03-06T09:35:03","guid":{"rendered":"http:\/\/www.hestben.se\/HestbenTechnical\/?p=110"},"modified":"2017-03-06T09:35:03","modified_gmt":"2017-03-06T09:35:03","slug":"find-out-if-tls-is-used-when-sending-mail","status":"publish","type":"post","link":"https:\/\/www.hestben.se\/HestbenTechnical\/?p=110","title":{"rendered":"Find out if TLS is used when sending mail"},"content":{"rendered":"

So, I have an old installation of Debian, with postfix, and I don’t remember how I set it up. I should check that it is using sane settings and really using encryption for the transport of mails. This is on my Debian Jessie 8.7 server.
\nFirst, I wanted to see what version of postfix I am using.
\nIssuing postcond -d | grep mail_version<\/code> yields the version 2.11.3.<\/code>.
\nSo, according to the answers in this question<\/a>, I should use the newer configuration options smtp_tls_security_level<\/code>.
\nIn the configuration that existed on the server, I didn’t have anything about smtp, only for smtpd (incoming mail). From logs obtained when running smtp<\/code> with the options -v -v<\/code> (Change the settings in \/etc\/postfix\/master.cf<\/code> and restart postfix):
\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: > mail.tele2.se[212.247.156.1]:587: EHLO galerkin.hestben.dyndns-ip.com
\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-mailfe09.swip.net host name is unknown galerkin.hestben.dyndns-ip.com\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-DSN\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-SIZE 314572800\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-STARTTLS\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-AUTH LOGIN PLAIN\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-ETRN\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-TURN\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-ATRN\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-NO-SOLICITING\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-8BITMIME\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-HELP\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250-PIPELINING\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: < mail.tele2.se[212.247.156.1]:587: 250 EHLO<\/code>
\nThen, it looks like it creates a TCP buffer with the login credentials, and then issues AUTH LOGIN:
\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: smtp_sasl_authenticate: mail.tele2.se[212.247.156.1]:587: SASL mechanisms LOGIN PLAIN
\nMar 2 16:30:17 galerkin postfix\/smtp[15196]: > mail.tele2.se[212.247.156.1]:587: AUTH LOGIN<\/code>
\nI.e. no encryption used, so I added smtp_tls_security_level=may<\/code> to main.cf (you can also use postconf -e \"smtp_tls_security_level=may\"<\/code>)
\nThen reloaded postfix with
\npostfix reload<\/code>
\nYou can then verify that the setting is set with
\npostconf | grep smtp_tls_security_level<\/code>.
\nNow the mail.log looks like:
\nMar 3 15:11:41 galerkin postfix\/pickup[22696]: 98D91232032: uid=0 from=
\nMar 3 15:11:41 galerkin postfix\/cleanup[22702]: 98D91232032: message-id=<20170303141141.98D91232032@galerkin.hestben.dyndns-ip.com>
\nMar 3 15:11:41 galerkin postfix\/qmgr[22697]: 98D91232032: from=, size=359, nrcpt=1 (queue active)
\nMar 3 15:11:42 galerkin postfix\/smtp[22704]: Untrusted TLS connection established to mail.tele2.se[212.247.156.1]:587: TLSv1 with cipher AES256-SHA (256\/256 bits)
\nMar 3 15:11:43 galerkin postfix\/smtp[22704]: 98D91232032: to=, relay=mail.tele2.se[212.247.156.1]:587, delay=2.2, delays=0.31\/0.3\/0.5\/1.1, dsn=2.0.0, status=sent (250 549908680 mailfe03 Message accepted for delivery)
\nMar 3 15:11:43 galerkin postfix\/qmgr[22697]: 98D91232032: removed<\/code>
\nSo, now you could hope tele2 would change to a better cipher with perfect forward secrecy (such as ECDHE-RSA-AES256-GCM-SHA384). Reading through the reference below about postfix forward secrecy<\/a>, it also looks like the server does not support anonymous cipher suites =(.<\/p>\n

Now, check incoming mail. The setting for the incoming mail which is called smtpd_tls_security_level<\/code>. I had previously used smtpd_use_tls=yes<\/code> so I changed to the newer setting. I sent a mail to my server (there is only a dyndns-ip configured for it, I use an external email provider for my hestben.se-domain).
\nThe log from that looks like this:
\nMar 3 15:29:33 galerkin postfix\/smtpd[22788]: connect from mx.kolabnow.com[95.128.36.1]
\nMar 3 15:29:33 galerkin postfix\/smtpd[22788]: Anonymous TLS connection established from mx.kolabnow.com[95.128.36.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256\/256 bits)
\nMar 3 15:29:33 galerkin postfix\/smtpd[22788]: A0EC523202F: client=mx.kolabnow.com[95.128.36.1]
\nMar 3 15:29:33 galerkin postfix\/cleanup[22793]: A0EC523202F: message-id=<20170303142924.GB4898@debian.hestben.dyndns-ip.com><\/code>
\nSuper, it is even using a good cipher.<\/p>\n

References : postfix forward secrecy<\/a>, postfix tls readme<\/a>, postfix main.cf format<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

So, I have an old installation of Debian, with postfix, and I don’t remember how I set it up. I should check that it is using sane settings and really using encryption for the transport of mails. This is on my Debian Jessie 8.7 server. First, I wanted to see what version of postfix I … Continue reading “Find out if TLS is used when sending mail”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/posts\/110"}],"collection":[{"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=110"}],"version-history":[{"count":7,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/posts\/110\/revisions"}],"predecessor-version":[{"id":117,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/posts\/110\/revisions\/117"}],"wp:attachment":[{"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}