Postfix Email Server – Configure STARTTLS or TLS Only

emailemail-serverpostfix

I have set up my Postfix to require STARTTLS, or SSL/TLS, as well as the user being authenticated if sending to other domains, or the recipient being known to my host if receiving mail.

I can connect without initial encryption like this:

telnet myserver.com 587
elho there
mail from: [email protected]

The server responds with 530 5.7.0 Must issue a STARTTLS command first

I noticed that smtp.gmail.com has the same requirement to use TLS.

I think this is good and what I want. But how many clients/servers who will try to send mail to my domain will fail, because they can't do SSL/TLS? My certificate is signed by letsencrypt, so that shouldn't be a problem.

Asked another way, is it safe to assume that in 2022 all mail senders can do SSL/TLS?

If not, what do I have to change in my postfix configs to allow third parties to deliver mail to my server without TLS (for mails in my domains), but still require my users who want to send mail via my server to login and use STARTTLS or SSL/TLS?

A second question: I noticed that if I send the following, I get the same error, but have I just sent my password to the server effectively unencrypted across the internet, meaning I should change my password (note the connection is done with telnet, not openssl!)

telnet myserver.com 587
ehlo there
AUTH PLAIN GFudEBtYaXhdhbnQuY2...doh!

Best Answer

Asked another way, is it safe to assume that in 2022 all mail senders can do SSL/TLS?

No, it is not. Today (March 3rd, 2022) Google delivered only 85% of its outbound mail using encryption:

Graph labeled "Outbound email encryption: 85%"

Likewise, today only 89% of inbound email was encrypted:

Graph labeled "Inbound email encryption: 89%"

If not, what do I have to change in my postfix configs to allow third parties to deliver mail to my server without TLS (for mails in my domains), but still require my users who want to send mail via my server to login and use STARTTLS or SSL/TLS?

# postconf smtpd_tls_security_level=may
# postconf smtpd_tls_auth_only=yes

Docs on smtpd_tls_security_level, smtpd_tls_auth_only.

If you want to also allow outbound emails to be delivered without encryption, you should read about smtp_tls_security_level.

Note that you can pin a list of known-good domains to always use encryption using smtp_tls_policy_maps, and you may want to consider implementing MTA-STS as well as a more scalable alternative. Here's some software that works with Postfix, though I haven't used it myself. Note that the Postfix page talks a little bit about DNSSEC and DANE, but DNSSEC won't save us, and the Chromium team agrees.

Related Topic