How to Enforce TLS Encryption for Outbound SMTP in Postfix


1 views

When configuring Postfix for encrypted communication, many admins focus on securing incoming mail (smtpd) while overlooking outbound encryption. Your current main.cf shows proper TLS setup for incoming connections but lacks critical directives for enforcing outbound encryption.

Add these to your main.cf to mandate TLS for outgoing mail:

# Outbound TLS enforcement
smtp_tls_security_level = encrypt
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

The key parameter is smtp_tls_security_level which accepts:

  • none: No TLS (dangerous)
  • may: Opportunistic TLS (default)
  • encrypt: Mandatory TLS (recommended)

Verify outbound encryption with:

postconf smtp_tls_security_level
telnet your.mx.server 25
EHLO yourdomain.com

Look for 250-STARTTLS in the response and test message delivery while monitoring /var/log/mail.log.

Create /etc/postfix/tls_policy with entries like:

gmail.com encrypt
yahoo.com encrypt
*.co.uk may

Then add to main.cf:

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

For self-signed certificates, ensure proper CA chain with:

openssl s_client -connect remote.server:25 -starttls smtp -showcerts

Store trusted certificates in /etc/ssl/certs/ and update CA store regularly.

Increase logging temporarily with:

smtp_tls_loglevel = 2
smtpd_tls_loglevel = 2

Common errors include incorrect file permissions (certificates should be 644) and missing intermediate CA certificates.

Many Postfix administrators successfully configure TLS for incoming mail (smtpd_tls_* parameters) but struggle with enforcing encryption for outbound messages. The subtle difference between smtp_ and smtpd_ parameters often causes confusion.

To mandate TLS for outgoing mail, these are the essential directives in main.cf:

# Outbound TLS enforcement
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.3
smtp_tls_loglevel = 1

Here's a production-tested configuration that enforces TLS for outgoing mail while maintaining flexibility for incoming connections:

# TLS configuration for outgoing mail
smtp_tls_security_level = encrypt
smtp_tls_cert_file = /etc/ssl/certs/postfix.pem
smtp_tls_key_file = /etc/ssl/private/postfix.key
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Compatibility settings
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

For granular control, create /etc/postfix/tls_policy with entries like:

gmail.com     encrypt
yahoo.com     encrypt
example.com   may

Then compile the map:

postmap /etc/postfix/tls_policy

Check encryption status with:

postconf smtp_tls_security_level
telnet your-relay 25
EHLO yourdomain.com

Look for STARTTLS in the server response. Debug using:

tail -f /var/log/mail.log | grep TLS