Postfixconfiguration为使用TLSv1.2

我开始构build我的第一个云服务器：带有Postfix的Ubuntu 16.04。

问题是我如何configuration后缀使用TLSv1.2当我从我的网上商店发送邮件？

当我的网店发送邮件到我的后缀服务器它使用TLSv1这里是日志：

postfix/submission/smtpd[19111]: Anonymous TLS connection established from domainname.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits) 

在我的网店我设置在configuration：使用：TLS端口：587

• 如何将postfix / dovecot电子邮件文件发送到新服务器
• 我应该如何设置DKIM虚拟主机？
• Postfix反弹用户未知的别名（`“|退出67”`）而不是拒绝邮件
• Postfix 2.10基于客户端证书的中继
• 每一对由gmail标记为“无法validation发件人”的邮件

谢谢J

 My server info: Ubuntu 16.04 postfix: Installed: 3.1.0-3 openssl: Installed: 1.0.2h-1+deb.sury.org~xenial+1 

这里是从后缀日志：可以看到邮件进来与TLSv1 … 🙁

 Sep 19 19:10:56 ubuntu postfix/master[6992]: daemon started -- version 3.1.0, configuration /etc/postfix Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: connect from domainname.com[xxx.xxx.xxx.xxx] Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: Anonymous TLS connection established from domainname.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: 803AB41C0A: client=domainname.com[xxx.xxx.xxx.xxx], sasl_method=LOGIN, sasl_username=raitis Sep 19 19:11:04 ubuntu postfix/cleanup[7131]: 803AB41C0A: message-id=<[email protected]> Sep 19 19:11:04 ubuntu postfix/qmgr[7010]: 803AB41C0A: from=<[email protected]>, size=694, nrcpt=1 (queue active) Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: disconnect from domainname.com[xxx.xxx.xxx.xxx] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8 Sep 19 19:11:04 ubuntu postfix/smtp[7133]: Trusted TLS connection established to gmail-smtp-in.l.google.com[66.102.1.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Sep 19 19:11:04 ubuntu postfix/smtp[7133]: 803AB41C0A: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[66.102.1.26]:25, delay=0.43, delays=0.06/0.04/0.2/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK 1474305064 14si1756669wmn.119 - gsmtp) Sep 19 19:11:04 ubuntu postfix/qmgr[7010]: 803AB41C0A: removed 

master.cf

 smtp inet n - - - - smtpd smtpd pass n - - - - smtpd submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_security_options=noanonymous -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtp_tls_mandatory_protocols=TLSv1 #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - nn - - local virtual unix - nn - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - nn - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - nn - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - nn - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - nn - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - nn - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - nn - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - nn - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - nn - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} 

 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1 

 smtpd_tls_exclude_ciphers = RC4, aNULL 

 smtpd_tls_security_level = encrypt smtp_tls_security_level = encrypt 

 smtp_tls_mandatory_protocols (default: !SSLv2) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by whitespace, commas or colons. In the policy table "protocols" attribute (see smtp_tls_policy_maps) the only valid separator is colon. An empty value means allow all protocols. The valid protocol names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and "TLSv1.2". If an older Postfix version is linked against OpenSSL 1.0.1 or later, these, or any other new protocol versions, are unconditionally enabled. With Postfix >= 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely matches the behaviour when the OpenSSL library is newer than Postfix. Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by default, SSL version 2 will not be used at the "encrypt" security level and higher. See the documentation of the smtp_tls_policy_maps parameter and TLS_README for more information about security levels. Example: # Preferred form with Postfix >= 2.5: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 # Alternative form. smtp_tls_mandatory_protocols = TLSv1 This feature is available in Postfix 2.3 and later. 

 submission inet n - - - - smtpd -o smtp_tls_mandatory_protocols=TLSv1