Postfix - TLS (SSL) configuration


Transport Layer Security (TLS, formerly called SSL) with Postfix

It provides:

An encrypted session protects the information that is transmitted:

TLS is based on OpenSSL


Certificate and private key


In order to use TLS, the Postfix SMTP server needs a certificate and a private key.

  • Both must be in “PEM” format.
  • The private key must not be encrypted, meaning: the key must be accessible without a password.
  • If the key is stored:
    • in the same file with the certificate, this should be owned by “root” and not be readable by any other user.
    • in a separate file:
      • the private should be owned by “root” and not be readable by any other user.
      • the certificate file may be “world-readable”.

You can create them with certbot

For instance if you use OVH as your domain provider, you could ask a certificate like that:

certbot certonly \
      --dns-ovh \
      --dns-ovh-credentials /root/.secrets/certbot/ovh.ini \
      --dns-ovh-propagation-seconds 60 \
      -n \
      --agree-tos \
      -m  your_email \
      -d # for instace


The Postfix SMTP server certificate must be usable as SSL server certificate and hence pass the verify test:

# example
cd /etc/letsencrypt/live/<your.server>/
openssl verify -untrusted  chain.pem -verbose -purpose sslserver fullchain.pem
fullchain.pem: OK

To know more about this command, see Check a certificate and its intermediate certificate chain.


smtpd_tls_cert_file = /etc/letsencrypt/live/<your.server>/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/<your.server>/privkey.pem

Trusted CA

To verify a remote SMTP client certificate, the Postfix SMTP server needs to trust the certificates of the issuing Certification Authorities.

Optional as the CA authorities are normally already installed.


You can verify that the CA are already installed in the certs directory

 ls /etc/ssl/certs/*.crt
/etc/ssl/certs/ca-bundle.crt  /etc/ssl/certs/

On Centos the package ca-certificates is responsible to update them

yum info ca-certificates
Installed Packages
Name        : ca-certificates
Arch        : noarch
Version     : 2019.2.32
Release     : 76.el7_7
Size        : 968 k
Repo        : installed
From repo   : updates
Summary     : The Mozilla CA root certificate bundle
URL         :
License     : Public Domain
Description : This package contains the set of CA certificates chosen by the
            : Mozilla Foundation for use with the Internet PKI.

If you want to specify them you can specify them (in PEM Format) via the following configuration:

  • smtpd_tls_CAfile: a single file with all CA in a pem format
  • smtpd_tls_CApath: one CA per file in the directory. Don't forget to create the necessary “hash” links with:
$OPENSSL_HOME/bin/c_rehash /path/to/directory 


Smtp Server

The smtpd_tls configuration (receiving side) for all postfix process

  • smtpd_tls_security_level: Security level for the Postfix SMTP server. may because according to RFC 2487, ecnrypt MUST NOT be applied in case of a publicly-referenced SMTP server. <note warning>On the submission port (587), you should override this value to encrypt</note>
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
  • smtpd_tls_received_header: Request that the Postfix SMTP server produces Received: message headers that include information about the protocol and cipher used
smtpd_tls_received_header = yes

Smtp Client

The smtp_tls configurations (sending side)

smtp_tls_security_level = encrypt
  • smtp_tls_note_starttls_offer: Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server.
smtp_tls_note_starttls_offer = yes



Send an email

echo "Body: This is a test mail. Hallo Charlie" | mail -s "Subject: A big test" [email protected]
  • Check that you got a grey key


Received: from ( [])
        by with ESMTPS id k12si12202871wrq.512.2020.
        for <[email protected]>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 14 Jun 2020 08:49:36 -0700 (PDT)

Connection to the SMTP server

  • A connection to the SMTP server should advertise for STARTTLS
openssl s_client -connect localhost:25 -starttls smtp
  • In the log
Jun 14 18:39:27 vps748761 postfix/smtpd[31959]: Anonymous TLS connection established from localhost[]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

You may or you may not be able to send an email via an Anonymous TLS connection through a port connection.


The STARTTLS keyword is used to tell the SMTP client that the SMTP server allows use of TLS. It takes no parameters.

nc localhost 25
220 ESMTP Postfix
  • STARTTLS is advertised
250-SIZE 10240000
250 DSN



warning: TLS library problem: 31735:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640

You cannot use telnet because it does not support TLS

Documentation / Reference

Powered by ComboStrap