Configure Postfix with TLS

Configuration

In order to use TLS, the Postfix SMTP server needs a certificate and a private key, read Create a self-signed Certificate for more information. Certificate und private key must be in “PEM” format (default OpenSSL output). If you have a CA certificate , you must also configure the smtpd_tls_CAfile option with your CA certificate.

TLS for incoming connections – smtpd

TLS for outgoing connections – smtp

Postfix submission process on port 587

Additional, you can configure the postfix submission process, it will listen on port 587, this process is for your mail clients with authentification for sending mails. It is recommended that your mail client with authentification uses the submission service on port 587 on their mail clients.

smtpd_tls_security_level=encrypt
allow only TLS connection on the submission service (port 587)

smtpd_sasl_auth_enable=yes
Enable SASL authentication in the Postfix SMTP server.

smtpd_client_restrictions=permit_sasl_authenticated,reject
reject all SMTP connections from unauthenticated clients

Don’t forget to reload postfix to apply the new settings

Test

Check TLS support

Check TLS restriction on submission service

Check TLS for outgoing mails




Send a mail to a MTA with TLS support (as example gmail.com). Now look at the mail.log file, you will find something like this Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.136.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

SMTP outgoing TLS security policy

If you want to force TLS encryption for some remote mail host, you can use the smtp_tls_policy_maps option and define a hash table with recipients that you want to force the TLS connection:

Reload postfix to apply the changes:

Create hash table:

All mails that goes to @must-be-tls.com or @must-be-tls-but-it-cant.com is now forced to transfer with TLS connection.

To test it send a e-mail to @must-be-tls-but-it-cant.com (MTA without TLS support), look at the mail.log, the result should be status=deferred (TLS is required, but was not offered by host mx.must-be-tls-but-it-cant.com[10.0.0.1]

SMTP incoming TLS security policy

We can force the TLS connection for incoming sessions. For this we can use the smtpd_sender_restrictions option and define hash table like above.

Reload postfix to apply settings:

Create hash table:

If you recive an e-mail from @sender-must-be-tls-but-it-cant.com (MTA wihtout TLS support), the connection will be rejected with 450 4.7.1 Session encryption is required, look at the mail log