Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

min_tls_level ignored (required_tls_level: encrypted) #717

Open
lukastribus opened this issue Jul 15, 2024 · 0 comments
Open

min_tls_level ignored (required_tls_level: encrypted) #717

lukastribus opened this issue Jul 15, 2024 · 0 comments
Assignees
@foxcpp
Labels
bug Something isn't working.

Comments

@lukastribus
Copy link

Describe the bug

Despite commenting dane and mtasts, setting protocols tls1.0 tls1.3 in tls_client and setting local_policy to:

local_policy {
    min_tls_level none
    min_mx_level none
}

I cannot figure out a way to send emails to:

[email protected] (TLSv1.0, self signed cert)
[email protected] (no TLS support)

I keep hitting TLS errors:

Jul 15 15:58:48 htznr2 maddy[923]: remote: cannot use MX        {"domain":"lists.denog.de","msg_id":"e693452d-66952b17","reason":"TLS it not available or unauthenticated but required","remote_server":"mail1.cluenet.de.","required_tls_level":"encrypted","smtp_code":451,"smtp_enchcode":"4.7.1","smtp_msg":"TLS it not available or unauthenticated but required","tls_err":"tls: server selected unsupported protocol version 301","tls_level":"none"}

Jul 15 15:59:04 htznr2 maddy[923]: remote: cannot use MX        {"domain":"1wt.eu","msg_id":"5fe3eac8-66952b14","reason":"TLS it not available or unauthenticated but required","remote_server":"mail.1wt.eu.","required_tls_level":"encrypted","smtp_code":451,"smtp_enchcode":"4.7.1","smtp_msg":"TLS it not available or unauthenticated but required","tls_err":null,"tls_level":"none"}

Log says "required_tls_level":"encrypted" despite all my attempts at configuring maddy to ignore it, including min_tls_level and min_mx_level.

Is this a bug or am I doing something wrong in the configuration file?

Steps to reproduce

Send email through maddy To:

[email protected] (TLSv1.0, self signed cert)
[email protected] (no TLS support)

Log files

See above.

Configuration file

## Maddy Mail Server - default configuration file (2022-06-18)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddy subcommands.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.

# ----------------------------------------------------------------------------
# Base variables

$(hostname) = server2.example.eu
$(primary_domain) = example.eu
$(local_domains) = example.eu sand.example.eu
#debug yes

tls file /etc/maddy/certs/$(hostname)/fullchain.pem /etc/maddy/certs/$(hostname)/privkey.pem

# ----------------------------------------------------------------------------
# Local storage & authentication

# pass_table provides local hashed passwords storage for authentication of
# users. It can be configured to use any "table" module, in default
# configuration a table in SQLite DB is used.
# Table can be replaced to use e.g. a file for passwords. Or pass_table module
# can be replaced altogether to use some external source of credentials (e.g.
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddy creds' command.

auth.pass_table local_authdb {
    table sql_table {
        driver sqlite3
        dsn credentials.db
        table_name passwords
    }
}

# imapsql module stores all indexes and metadata necessary for IMAP using a
# relational database. It is used by IMAP endpoint for mailbox access and
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddy.

storage.imapsql local_mailboxes {
    driver sqlite3
    dsn imapsql.db
}

# ----------------------------------------------------------------------------
# SMTP endpoints + message routing

hostname $(hostname)

table.chain local_rewrites {
    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
    optional_step static {
        entry postmaster postmaster@$(primary_domain)
    }
    optional_step file /etc/maddy/aliases
}

msgpipeline local_routing {
    # Insert handling for special-purpose local domains here.
    # e.g.
    # destination lists.example.org {
    #     deliver_to lmtp tcp:https://127.0.0.1:8024
    # }

    destination postmaster $(local_domains) {
        modify {
            replace_rcpt &local_rewrites
        }

        deliver_to &local_mailboxes
    }

    default_destination {
        reject 550 5.1.1 "User doesn't exist"
    }
}

smtp tcp:https://127.0.0.1:25 {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections.
        all rate 20 1s
        all concurrency 10
    }

    dmarc yes
    check {
        require_mx_record
        dkim
        spf
    }
    source $(local_domains) {
        reject 501 5.1.8 "Use Submission for outgoing SMTP"
    }
    default_source {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.1.1 "User doesn't exist"
        }
    }
}

submission tls:https://0.0.0.0:465 tcp:https://0.0.0.0:587 {
    limits {
        # Up to 50 msgs/sec across any amount of SMTP connections.
        all rate 50 1s
    }

    auth &local_authdb

    source $(local_domains) {
        check {
            authorize_sender {
                prepare_email &local_rewrites
                user_to_email static { entry [email protected] * }
                #user_to_email identity
            }
        }

        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            modify {
                dkim $(primary_domain) $(local_domains) server2A
            }
            deliver_to &remote_queue
        }
    }
    default_source {
        reject 501 5.1.8 "Non-local sender domain"
    }
}

target.remote outbound_delivery {
    debug yes
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections
        # for each recipient domain.
        destination rate 20 1s
        destination concurrency 10
    }
    mx_auth {
        #dane
        #mtasts {
        #    cache fs
        #    fs_dir mtasts_cache/
        #}
        local_policy {
            min_tls_level none
            min_mx_level none
        }
    }
    tls_client {
        protocols tls1.0 tls1.3
    }
}

target.queue remote_queue {
    max_tries 3
    target &outbound_delivery

    autogenerated_msg_domain $(primary_domain)
    bounce {
        modify {
                replace_sender static { entry "" "[email protected]" }
        }
        destination $(local_domains) {
            modify {
                dkim $(primary_domain) $(local_domains) server2A
            }

            deliver_to &remote_queue

        }
        default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
        }
    }
}

# ----------------------------------------------------------------------------
# IMAP endpoints

imap tls:https://127.0.0.1:993 tcp:https://127.0.0.1:143 {
    auth &local_authdb
    storage &local_mailboxes
}

Environment information

  • maddy version: 0.7.1+cee5777 linux/amd64 go1.21.1
@lukastribus lukastribus added the bug Something isn't working. label Jul 15, 2024
@foxcpp foxcpp self-assigned this Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@foxcpp foxcpp

Labels
bug Something isn't working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lukastribus @foxcpp