Postfix TLS

by Wolfram Saringer (2016-08-09)
last change: 2016-08-09

/etc/postfix/main.cf:
# TLS parameters
smtp_tls_security_level = encrypt
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file=/etc/ssl/private/smtpd.key
smtpd_tls_cert_file=/etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols = TLSv1
# Also available with Postfix >= 2.5:
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

Test:
openssl s_client -starttls smtp -CApath /etc/ssl/certs/cacert.pem -connect localhost:25 -ssl3
openssl s_client -starttls smtp -CApath /etc/ssl/certs/cacert.pem -connect localhost:25 -ssl2

Links:
How to check TLS connections with openssl s_client (http://security.stackexchange.com)