POSTFIX AND STARTTLS

assuming you got postfix up and running already

CERTS & CIPHERS

inbound - assuming you obtained some certs already

outbound - assuming you got your trust-store in place

Postfix can handle dual/hybrid certs since v2.6 (the legacy way) and since v3.4 (the new way with smtp_tls_cert_file). We are using the legacy way here as it is more LE friendly (no need to concatenate privkey and fullchain).

The trick here is to fine-tune and define what you mean by high

https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to CERTS & CIPHERS

STARTTLS INBOUND

https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to STARTTLS INBOUND

STARTTLS OUTBOUND

https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to STARTTLS OUTBOUND

NOTES

those became obsolete by smtp_tls_security_level since v2.3

smtp_use_tls = yes
smtp_enforce_tls = yes

those became obsolete by smtpd_tls_security_level since v2.3

smtpd_use_tls = yes
smtpd_enforce_tls = yes

TODO

RESOURCES

Postfix TLS Support http://www.postfix.org/TLS_README.html

Postfix legacy TLS Support http://www.postfix.org/TLS_LEGACY_README.html

TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html

Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS

Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error

more

StartTLS https://www.ionos.com/digitalguide/e-mail/technical-matters/starttls/

What’s the best way to check if an SMTP server is SSL-enabled or not? https://serverfault.com/questions/64411/whats-the-best-way-to-check-if-an-smtp-server-is-ssl-enabled-or-not

Postfix STARTTLS only on port 25 https://serverfault.com/questions/676742/postfix-starttls-only-on-port-25/677167


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun