TLS not found on PMTA configuration

robust

Member
Jun 16, 2020
63
0
6
Hi,
After building the PMTA from mumara, we do not see the TLS on the configuration.
Do we need to add manually? or we have missed something while building the pmta server.
Please suggest.

Thank you
 

wasif

Administrator
Staff member
Apr 9, 2019
594
114
43
You have to add it manually in the pmta config using Mumara interface.
 

robust

Member
Jun 16, 2020
63
0
6
We are adding it manually but the next day we are finding it removed. What may be the issue?
 

wasif

Administrator
Staff member
Apr 9, 2019
594
114
43
are you adding directly to pmta or via Mumara UI?
 

rehan

Member
Staff member
May 24, 2019
57
19
8
You need to add it via Mumara UI then it will not get removed as in ESP it rewrites the PMTA config after specific intervals so anything you change in PMTA config will get overwritten so it would be better if you can update it using Mumara UI.
 
  • Like
Reactions: robust

robust

Member
Jun 16, 2020
63
0
6
Hi,
I have added the TLS via Mumara UI. Now when I am activating the TLS on Mumara settings (screenshot attached) the test emails are not going out. I am getting a connection error message.
79
 

wasif

Administrator
Staff member
Apr 9, 2019
594
114
43
By selecting TLS on Mumara's SMTP add/edit page, it doesn't mean that it will enable TLS on your MTA server. Mumara carries just the information of the SMTP here. If your MTA server has TLS enabled/installed then you'll need to set Mumara to use TLS encryption. If you are using PowerMTA, you need to look into PMTA guide on how to enable TLS. Or alternatively, you can look into the following article

Outbound Opportunistic Encryption
To use outbound opportunistic encryption in PowerMTA, simply add the following to your configuration file:

<domain *>
use-starttls yes
require-starttls no
</domain>
With this, PowerMTA will check to see if the remote mail server supports encryption. If it does, an attempt will be made to create an encrypted channel over which to send mail. If the encryption fails, or if no encryption is offered, then the mail is sent using no encryption.

To verify if the mail was sent over an encrypted channel, it is necessary to add additional fields to the CSV accounting file. This can be done with the following configuration:

<acct-file logacct.csv>
records d, b
record-fields d *, dlvTlsProtocol, dlvTlsCipher
record-fields b *, dlvTlsProtocol, dlvTlsCipher
</acct-file>
If encryption is used, the above configuration will record the protocol and cipher used to deliver the message over an encrypted channel.

Outbound Client Certificate

While the vast majority of outbound connections do not require a local certificate, there may be some B2B cases in which the remote mail server requires PowerMTA to use a given certificate for encrypting the channel between the two servers. This can be facilitated in PowerMTA with a setup similar to the following:

<domain super-secure-server.com>
smtp-client-certificate /path/to/certificate.pem password
use-starttls yes
require-starttls yes
</domain>
In the above example, any messages sent to super-secure-server.com will sent over an encrypted channel using the certificate /path/to/certificate.pem (in most cases supplied by the administrator of the remote mail server). If the encryption fails, the messages will not be sent.
Source: circleid.com
 

zohaib

Beginner
Sep 18, 2024
1
1
3
<domain *>
use-starttls yes
require-starttls no
</domain>

Worked for us. Thank you. However, you must have the TLS encryption configured on your server as well.

Please refer to the following post for additional TLS configuration.
 
  • Like
Reactions: wasif