When you've configured TLS in Postfix as shown below:
smtpd_tls_key_file = /etc/ssl/private/mail.example.com.key
smtpd_tls_cert_file = /etc/ssl/certs/mail.example.com.crt
smtpd_tls_security_level = encrypt
These settings primarily affect inbound connections (when others send mail to your server). For outbound mail encryption, you need additional configuration.
Add these to your main.cf for enforcing TLS on outgoing mail:
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
The "may" option allows TLS if the receiving server supports it, while still permitting non-TLS delivery when necessary.
1. Checking Postfix Logs
After sending a test email, examine your mail logs (typically /var/log/mail.log):
grep 'TLS' /var/log/mail.log
Look for entries like:
postfix/smtp[12345]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.76.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
2. Using Telnet for Manual Verification
Connect to your target mail server manually:
telnet mail.example.com 25
EHLO yourdomain.com
Look for "250-STARTTLS" in the response, indicating TLS support.
3. Packet Capture with tcpdump
For deep inspection, capture SMTP traffic:
tcpdump -i eth0 -w smtp.pcap port 25
Then analyze with Wireshark - encrypted packets will show as "Application Data".
When using PHP's mail() function, the encryption happens at the MTA (Postfix) level. Create a test script:
<?php
mail('test@example.com', 'TLS Test', 'This is a test message');
?>
Then verify the delivery method in your logs as shown above.
In main.cf, you can enforce TLS for certain domains:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
Then create /etc/postfix/tls_policy with:
gmail.com encrypt
yahoo.com encrypt
Remember to postmap the file:
postmap /etc/postfix/tls_policy
systemctl reload postfix
For continuous monitoring, consider these tools:
- pflogsumm for TLS statistics in log summaries
- Grafana with Postfix exporter for visualization
- Custom scripts parsing TLS handshake success rates
Example monitoring script:
#!/bin/bash
TLS_SUCCESS=$(grep -c "TLS connection established" /var/log/mail.log)
TLS_FAILED=$(grep -c "TLS handshake failed" /var/log/mail.log)
echo "TLS Success Rate: $((100*TLS_SUCCESS/(TLS_SUCCESS+TLS_FAILED)))%"
First, let's verify your Postfix TLS settings are properly configured. Run this command to check your main configuration:
postconf -n | grep tls
You should see output similar to:
smtp_tls_security_level = may
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
To verify TLS is actually being used for outgoing mail, there are several methods:
Method 1: Check Postfix Logs
Examine your mail logs after sending a test email:
grep TLS /var/log/mail.log
Look for entries like:
postfix/smtp[12345]: Trusted TLS connection established to gmail-smtp-in.l.google.com[142.250.101.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Method 2: Use Telnet to Test SMTP
Manually test the SMTP connection:
openssl s_client -connect your.mx.server:25 -starttls smtp
You should see the TLS handshake details and server certificate.
When using PHP's mail() function, ensure your php.ini settings match:
[mail function]
; For Win32 only.
SMTP = your.smtp.server
smtp_port = 587
; For Win32 only.
sendmail_from = your@email.com
For complete verification, capture network traffic:
sudo tcpdump -i eth0 -w postfix-tls.pcap port 25
Analyze the capture in Wireshark to confirm encryption.
For optimal security, add these to main.cf:
smtp_tls_security_level = encrypt
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
Restart Postfix after changes:
sudo systemctl restart postfix
Use online services like:
- CheckTLS (https://www.checktls.com)
- MXToolbox (https://mxtoolbox.com)
These will verify your TLS configuration from external perspectives.