I have set up postfix and dovecot following several guides online and consistently have the problem that emails I send will not be encrypted. I have been testing the settings by sending an email to my @gmail.com account as I am sure the google servers will support TLS encryption, and email in the gmail webmail clearly shows the red crossed out padlock to show that they are not encrypted.
If I set
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt
I get this error
TLS is required, but was not offered by host gmail-smtp-in.l.google.com[64.233.167.27]
And if I set it to may it sends the email, without encrypting it.
This is the output of postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mydestination = $myhostname, localdomain, localhost, localhost.localdomain, localhost, mail.example.com, example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = subnet
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
smtp_tls_CAfile = /routeto/my.ca-bundle
smtp_tls_cert_file = /routeto/my.crt
smtp_tls_key_file = /routeto/my.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = example.com
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /routeto/my.ca-bundle
smtpd_tls_cert_file = /routeto/my.crt
smtpd_tls_key_file = /routeto/my.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
and this is the output of a telnet on port 25 followed by ehlo test
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
and the same thing on port 587
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
TLS is required, but was not offered by host gmail-smtp-in.l.google.com[64.233.167.27]
This clearly shows, that the host does not offer STARTTLS to your server. But, it is known that gmail offers STARTTLS and your test with telnet confirms it. My guess is that you did the telnet from a different system and that your mail server is behind some (transparent) firewall which intercepts traffic to analyze it. In order to not deal with encrypted SMTP traffic this is often done by simply stripping the STARTTLS command from the servers response to EHLO so that the mail server assumes that TLS is not supported.