[postfix-es] Problemas al verificar una conexión TLS

sralbiz en gmail.com sralbiz en gmail.com
Mar Jun 18 21:41:45 CEST 2019 

Buenas,


Por motivos de trabajo he de verificar una conexión TLS. Hasta ahora 
hemos usado siempre "may" y nunca hemos tenido problemas. Después de 
mucho leer la documentación he generado un archivo smtp_tls_policy_maps 
donde he incluido el

dominiocliente    verify

.dominiocliente    verify

He hecho alguna prueba y obtengo según los logs Trusted, annonymous para 
el resto y Verified para este cliente pero aún así los mensajes no 
entran en su servidor mostrándome a mi:

Verified TLS connection established to MXhost[xxx.xxx.xxx.xxx]:25: 
TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

postfix/smtp[]: : to=<email en domain.com>, 
relay=MXhost[xxx.xxx.xxx.xxx]:25, delay=2190, delays=2186/0.03/3.9/0.13, 
dsn=4.7.0, status=deferred (host MXdomain[xxx.xxx.xxx.xxx] said: 403 
4.7.0 not authenticated (in reply to MAIL FROM command))

y quedándose en cola con el mismo error:

(host dominioexterno[xxx.xxx.xxx.xxx] said: 403 4.7.0 not authenticated 
(in reply to MAIL FROM command))

Como curiosidad indicar que se quedan como deferred y según el manual * 
eso pasa usando encrypt en lugar de verify. Sea como sea agradecería 
cualquier luz que podáis arrojar. Saludos y gracias,


* http://www.postfix.org/TLS_README.html#client_tls_verify


**postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 48h
compatibility_level = 2
delay_warning_time = 2h
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
maximal_queue_lifetime = 48h
message_size_limit = 25000000
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mydestination = $myhostname, <fqdn>, localhost.<domain>, , localhost
myhostname = <fqdn>
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:127.0.0.1:11332
readme_directory = no
recipient_delimiter = +
relay_domains = <subdominio>
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 2
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
check_client_access hash:/etc/postfix/whitelist
smtpd_milters = inet:127.0.0.1:11332
smtpd_recipient_limit = 4000
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, 
reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo 
dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, 
reject_rbl_client b.barracudacentral.org, reject_rbl_client 
bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = mysql:/etc/postfix/mysql4.cf
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_authenticated_sender_login_mismatch check_sender_access 
hash:/etc/postfix/emailWL
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/<mxhost>.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/ssl/certs/<mxhost>.key
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no
tls_high_cipherlist = 
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = 
mysql:/etc/postfix/alias.cf,mysql:/etc/postfix/mysql2.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql1.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql3.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

Más información sobre la lista de distribución postfix-es