Gmail 无法接受 TLS

我最近设置了一个 postfix 邮件服务器。使用其他域名进行测试，一切似乎运行良好。

但是，当我的服务器尝试向 Gmail 发送邮件时，它们被标记为垃圾邮件，并带有红色挂锁和注释rr.com did not encrypt this message

（rr.com 不是我的域名。但是，以上是确切地Gmail 所说的内容）

强制使用 TLS 后，我发现我的服务器根本无法向 Gmail 发送消息。日志显示 (TLS is required, but was not offered by host alt4.gmail-smtp-in.l.google.com[142.250.96.26])

等一下，什么？Gmail 肯定提供 TLS！

这里发生了什么事？

postconf -n

alias_database = $alias_maps
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/maps/canonical
command_directory = /usr/bin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
local_destination_concurrency_limit = 2
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver -m "${EXTENSION}"
mailbox_size_limit = 0
message_size_limit = 104857600
mydestination = $myhostname
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8, 10.0.0.0/8
myorigin = $myhostname
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_destination_concurrency_limit = 1
smtp_tls_CAfile = /etc/ssl/cert.pem
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_client_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_mailbox_maps
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch,
smtpd_tls_CAfile = /etc/ssl/cert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !TLSv1 !SSLv2 !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/maps/valiases
virtual_mailbox_domains = hash:/etc/postfix/maps/vmailbox-domains
virtual_mailbox_maps = hash:/etc/postfix/maps/vmailbox-users
virtual_transport = dovecot