Configure Postfix with TLS


In order to use TLS, the Postfix SMTP server needs a certificate and a private key, read Create a self-signed Certificate for more information. Certificate und private key must be in “PEM” format (default OpenSSL output). If you have a CA certificate , you must also configure the smtpd_tls_CAfile option with your CA certificate.

TLS for incoming connections – smtpd

TLS for outgoing connections – smtp

Postfix submission process on port 587

Additional, you can configure the postfix submission process, it will listen on port 587, this process is for your mail clients with authentification for sending mails. It is recommended that your mail client with authentification uses the submission service on port 587 on their mail clients.

allow only TLS connection on the submission service (port 587)

Enable SASL authentication in the Postfix SMTP server.

reject all SMTP connections from unauthenticated clients

Don’t forget to reload postfix to apply the new settings


Check TLS support

Check TLS restriction on submission service

Check TLS for outgoing mails

Send a mail to a MTA with TLS support (as example Now look at the mail.log file, you will find something like this Untrusted TLS connection established to[]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

SMTP outgoing TLS security policy

If you want to force TLS encryption for some remote mail host, you can use the smtp_tls_policy_maps option and define a hash table with recipients that you want to force the TLS connection:

Reload postfix to apply the changes:

Create hash table:

All mails that goes to or is now forced to transfer with TLS connection.

To test it send a e-mail to (MTA without TLS support), look at the mail.log, the result should be status=deferred (TLS is required, but was not offered by host[]

SMTP incoming TLS security policy

We can force the TLS connection for incoming sessions. For this we can use the smtpd_sender_restrictions option and define hash table like above.

Reload postfix to apply settings:

Create hash table:

If you recive an e-mail from (MTA wihtout TLS support), the connection will be rejected with 450 4.7.1 Session encryption is required, look at the mail log

Create Postfix Mail Stats with AWStats




Configure Amavis with Postfix


Read first Create Postfix Relay Server, this documentation here required a running postfix configuration on a Debian Wheezy system.


First install amavis, clamav and required archive tools to scan archive file content:


Discard bad header, virus and banned mail content, so set the three variables to undef, you can also configure other option like an e-mail address or folder.

Enable antivirus check on content filter:

Set $final_banned_destiny to D_REJECT Set $virus_admin to your postmaster mail address Set $X_HEADER_LINE to emtpy, to disable the X-Header TAG

Configure Amavis with Postfix

Add amavis group to clamav user

Restart services

Create Postfix Relay Server

Postfix Relay Server


  • postfix.dmz.local ⇒ Postfix Server, located in DMZ
  • myexchange.lan.local ⇒ Internal Exchange Server, located in LAN



Configure transport_maps to relay all mails for domain to the internal mail server myexchange.lan.local

Create Postfix lookup table for transport_maps

Rebuild also the data base for the mail aliases file, to avoid error messages from Postfix

Start Postfix

Custom Accesslist

Add check_sender_access to smtpd_recipient_restrictions parameter

Active Directory LDAP Check

To reject unknow users directly in postfix we need to query the active directory for valid mail addresses. You can do it with the ldap support of postfix, but I prefere to do the lookups on local site with a perl script and cronjob.

I add some code to create the postmap file with the perl script: