POSTFIX AND STARTTLS

assuming you got postfix up and running already

REQUIREMENTS

Either get some certs or self-sign one, which used to be a common practice for SMTP… But Gmail, Yandex and Mail.ru are finally showing some cert validation warnings to the users.

Now you also need to be able to check remove certificates hence (assuming no chroot)

$OPENSSL_HOME/bin/c_rehash /etc/ssl/certs

Or just get a clean bundle from curl/mozilla

cd /etc/ssl/
wget https://curl.haxx.se/ca/cacert.pem
wget https://curl.haxx.se/ca/cacert.pem.sha256
#wget https://curl.haxx.se/ca/cacert-2020-12-08.pem
#wget https://curl.haxx.se/ca/cacert-2020-12-08.pem.sha256
shasum -a 256 cacert.pem
cat cacert.pem.sha256

as for Jan 2021 you should have

313d562594ebd07846ad6b840dd18993f22e0f8b3f275d9aacfae118f4f00fb7  cacert.pem
313d562594ebd07846ad6b840dd18993f22e0f8b3f275d9aacfae118f4f00fb7  cacert-2020-12-08.pem

CERTS & CIPHERS

Postfix can handle dual/hybrid certs since v2.6 (the legacy way) and since v3.4 (the new way with smtp_tls_cert_file). We are using the legacy way here as it is more LE friendly (no need to concatenate privkey and fullchain).

The trick here is to fine-tune and define what you mean by high

tls_append_default_CA = no
tls_preempt_cipherlist = no
tls_high_cipherlist = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES128:!CAMELLIA128

#smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = no
smtpd_tls_CAfile = /etc/ssl/cacert.pem
smtpd_tls_cert_file = /etc/dehydrated/certs/xc.os3.su/fullchain.pem
smtpd_tls_key_file = /etc/dehydrated/certs/xc.os3.su/privkey.pem
smtpd_tls_eccert_file = /etc/dehydrated/certs/xc.os3.su.ECC/fullchain.pem
smtpd_tls_eckey_file = /etc/dehydrated/certs/xc.os3.su.ECC/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes

ENFORCE STARTTLS INBOUND

#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_loglevel = 1
smtpd_tls_security_level = encrypt
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# !TLSv1, !TLSv1.1
#smtpd_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES

ENFORCE STARTTLS OUTBOUND

#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# !TLSv1, !TLSv1.1
#smtp_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES

VERIFY CLIENT CERTIFICATE

#smtpd_tls_CApath = /etc/ssl/certs
#smtpd_tls_req_ccert = yes
#smtpd_tls_ask_ccert = yes

VERIFY MX CERTIFICATE

#smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = no
smtp_tls_CAfile = /etc/ssl/cacert.pem

#the default and is valid in both directions
smtp_tls_enforce_peername = yes

#smtp_tls_security_level = verify
#smtp_tls_security_level = secure
#smtp_tls_verify_cert_match = hostname (default)
#smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

NOTES

those became obsolete by smtp_tls_security_level since v2.3

smtp_use_tls = yes
smtp_enforce_tls = yes

those became obsolete by smtpd_tls_security_level since v2.3

smtpd_use_tls = yes
smtpd_enforce_tls = yes

TODO

RESOURCES

Postfix TLS Support http://www.postfix.org/TLS_README.html

Postfix legacy TLS Support http://www.postfix.org/TLS_LEGACY_README.html

TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html

Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS

Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error

more

StartTLS https://www.ionos.com/digitalguide/e-mail/technical-matters/starttls/

What’s the best way to check if an SMTP server is SSL-enabled or not? https://serverfault.com/questions/64411/whats-the-best-way-to-check-if-an-smtp-server-is-ssl-enabled-or-not

Postfix STARTTLS only on port 25 https://serverfault.com/questions/676742/postfix-starttls-only-on-port-25/677167