Tuesday, June 11, 2013

Enabling TLS in the Postfix SMTP server ?


By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with “smtpd_tls_security_level = may”.

Example:

/etc/postfix/main.cf

smtpd_tls_security_level = may
 
With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.

Note: when an unprivileged user invokes “sendmail -bs”, STARTTLS is never offered due to insufficient privileges to access the Postfix SMTP server private key. This is intended behavior.

You can ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption, by setting “smtpd_tls_security_level = encrypt”. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server. This option is off by default and should only seldom be used.

Example:
/etc/postfix/main.cf
smtpd_tls_security_level = encrypt
 
Source : http://www.postfix.org/TLS_README.html