Document TLS requirements in the readme

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## untagged
 
+- Document TLS requirements in the readme
+  ([#514](https://github.com/chatmail/server/pull/514))
+
 - Remove cleanup service from submission ports
   ([#512](https://github.com/chatmail/server/pull/512))
 

README.md

@@ -256,6 +256,32 @@ and rejects incorrectly authenticated emails with [`reject_sender_login_mismatch
 `From:` header must correspond to envelope MAIL FROM,
 this is ensured by `filtermail` proxy.
 
+## TLS requirements
+
+Postfix is configured to require valid TLS
+by setting [`smtp_tls_security_level`](https://www.postfix.org/postconf.5.html#smtp_tls_security_level) to `verify`.
+If emails don't arrive from a chatmail server to your server,
+the problem is likely that your server does not have a valid TLS certificate.
+
+You can test it by resolving `MX` records of your server domain
+and then connecting to MX servers (e.g `mx.example.org`) with
+`openssl s_client -connect mx.example.org:25 -verify_hostname mx.example.org -verify_return_error -starttls smtp`
+from the host that has open port 25 to verify that certificate is valid.
+
+When providing a TLS certificate to your server,
+make sure to provide the full certificate chain
+and not just the last certificate.
+
+If you are running Exim server and don't see incoming connections
+from a chatmail server in the logs,
+make sure `smtp_no_mail` log item is enabled in the config
+with `log_selector = +smtp_no_mail`.
+By default Exim does not log sessions that are closed
+before sending the `MAIL` command.
+This happens if certificate is not recognized as valid by Postfix,
+so you might think that connection is not established
+while actually it is a problem with your TLS certificate.
+
 ## Migrating chatmail server to a new host
 
 If you want to migrate chatmail from an old machine