POSTFIX AND STARTTLS

assuming you got postfix up and running already

CERTS & CIPHERS

inbound - assuming you obtained some certs already

outbound - assuming you got your trust-store in place

Postfix can handle dual/hybrid certs since v2.6 (the legacy way) and since v3.4 (the new way with smtp_tls_cert_file). We are using the legacy way here as it is more LE friendly (no need to concatenate privkey and fullchain).

The trick here is to fine-tune and define what you mean by high

tls_append_default_CA = no
tls_preempt_cipherlist = no
tls_high_cipherlist = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES128:!CAMELLIA128

#smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = no
smtpd_tls_CAfile = /etc/ssl/cacert.pem
smtpd_tls_cert_file = /etc/dehydrated/certs/xc.os3.su/fullchain.pem
smtpd_tls_key_file = /etc/dehydrated/certs/xc.os3.su/privkey.pem
smtpd_tls_eccert_file = /etc/dehydrated/certs/xc.os3.su.ECC/fullchain.pem
smtpd_tls_eckey_file = /etc/dehydrated/certs/xc.os3.su.ECC/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes

ENFORCE STARTTLS INBOUND

#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_loglevel = 1
smtpd_tls_security_level = encrypt
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# !TLSv1, !TLSv1.1
#smtpd_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES

ENFORCE STARTTLS OUTBOUND

#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# !TLSv1, !TLSv1.1
#smtp_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES

VERIFY CLIENT CERTIFICATE

#smtpd_tls_CApath = /etc/ssl/certs
#smtpd_tls_req_ccert = yes
#smtpd_tls_ask_ccert = yes

VERIFY MX CERTIFICATE

#smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = no
smtp_tls_CAfile = /etc/ssl/cacert.pem

#the default and is valid in both directions
smtp_tls_enforce_peername = yes

#smtp_tls_security_level = verify
#smtp_tls_security_level = secure
#smtp_tls_verify_cert_match = hostname (default)
#smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

NOTES

those became obsolete by smtp_tls_security_level since v2.3

smtp_use_tls = yes
smtp_enforce_tls = yes

those became obsolete by smtpd_tls_security_level since v2.3

smtpd_use_tls = yes
smtpd_enforce_tls = yes

TODO

RESOURCES

Postfix TLS Support http://www.postfix.org/TLS_README.html

Postfix legacy TLS Support http://www.postfix.org/TLS_LEGACY_README.html

TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html

Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS

Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error

more

StartTLS https://www.ionos.com/digitalguide/e-mail/technical-matters/starttls/

What’s the best way to check if an SMTP server is SSL-enabled or not? https://serverfault.com/questions/64411/whats-the-best-way-to-check-if-an-smtp-server-is-ssl-enabled-or-not

Postfix STARTTLS only on port 25 https://serverfault.com/questions/676742/postfix-starttls-only-on-port-25/677167


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH