From f188aef11e7046fe1645ae8cc3b52d498005285c Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Sun, 9 Mar 2025 15:41:02 +0000
Subject: [PATCH] Document TLS requirements in the readme

---
 CHANGELOG.md |  3 +++
 README.md    | 26 ++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d0073e86..eb84e4b5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## untagged
 
+- Document TLS requirements in the readme
+  ([#514](https://github.com/chatmail/server/pull/514))
+
 - Remove cleanup service from submission ports
   ([#512](https://github.com/chatmail/server/pull/512))
 
diff --git a/README.md b/README.md
index a1d40074..89389ee1 100644
--- a/README.md
+++ b/README.md
@@ -256,6 +256,32 @@ and rejects incorrectly authenticated emails with [`reject_sender_login_mismatch
 `From:` header must correspond to envelope MAIL FROM,
 this is ensured by `filtermail` proxy.
 
+## TLS requirements
+
+Postfix is configured to require valid TLS
+by setting [`smtp_tls_security_level`](https://www.postfix.org/postconf.5.html#smtp_tls_security_level) to `verify`.
+If emails don't arrive from a chatmail server to your server,
+the problem is likely that your server does not have a valid TLS certificate.
+
+You can test it by resolving `MX` records of your server domain
+and then connecting to MX servers (e.g `mx.example.org`) with
+`openssl s_client -connect mx.example.org:25 -verify_hostname mx.example.org -verify_return_error -starttls smtp`
+from the host that has open port 25 to verify that certificate is valid.
+
+When providing a TLS certificate to your server,
+make sure to provide the full certificate chain
+and not just the last certificate.
+
+If you are running Exim server and don't see incoming connections
+from a chatmail server in the logs,
+make sure `smtp_no_mail` log item is enabled in the config
+with `log_selector = +smtp_no_mail`.
+By default Exim does not log sessions that are closed
+before sending the `MAIL` command.
+This happens if certificate is not recognized as valid by Postfix,
+so you might think that connection is not established
+while actually it is a problem with your TLS certificate.
+
 ## Migrating chatmail server to a new host
 
 If you want to migrate chatmail from an old machine