Forcing encryption for outgoing SMTP with Postfix

postfix smtp

smtp_tls_security_level = encrypt or smtp_enforce_tls=yes

For specific destinations you could use smtp_tls_policy_maps

smtp_use_tls = yes and smtp_enforce_tls=yes are deprecated. With Postfix 2.3 and later use smtp_tls_security_level instead.

Remember: Enforcing TLS encryption could cause mail delivery problems for SMTP host, that doesn't have TLS configured. If server is used to deliver mails to only your internal server with configured TLS, it's not a problem in that case. But if server is used to deliver mail to public servers, you cannot assume, that all servers has TLS support. In that case use smtp_tls_security_level = may


The idea is to force users to configure their email clients with encrypted outgoing smtp server. With the current conf, Thunderbird leave them the option to communicate with the smtp server in plain text...

You cannot disable option in Thunderbird without recompiling source code, but you can configure postfix stmpd daemon (which receives mail from your clients) to enforce encryption. To do that, use smtpd_tls_security_level=encrypt, which is equivalent of obsolete options smtpd_use_tls=yes and smtp_enforce_tls=yes. smtpd_tls_security_level=encrypt and smtp_enforce_tls=yes implies smtpd_tls_auth_only=yes

From postfix documentation about smtpd_tls_security_level=encrypt

Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.

If you use public server, you cannot enforce email encryption on port 25/tcp. Better solution is disable mail delivery on by postfix smtpd daemon port 25/tcp from your clients and enable postfix submission daemon (which is special postfix smtpd daemon used only for receiving mail from your local clients described in RFC 4409 running on port 587/tcp). To do that, set smtpd_tls_security_level=may and remove permit_sasl_authenticated from smtpd_recipient_restrictions. In master.cf uncomment line about submission daemon:

submission inet n       -       n       -       -   submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_resrictions=permit_sasl_authenticated,reject

Just curious, how are you telling that it isn't using TLS? The default value for smtp_tls_loglevel (which is different from smtpd_tls_loglevel) is 0, so by default you won't see anything about TLS negotiation for outbound mail in Postfix's logs.

If you set smtp_tls_loglevel = 1 or higher, you should see a line like this in the log when a message is sent:

Mar 7 22:28:10 rack postfix/smtp[27400]: initializing the client-side TLS engine

I admit I'm being lazy, but aside from that (and ms' notes above) the config looks fine to me at a glance.

Related

Selecting Interface for SSH Port Forwarding
Changing the Sudo warning
Don't see Failed Request Tracing in IIS Manager
nginx catch all other locations than given
Nice rsync on remote machine
Things every SQL Server DBA should know
Testing whether jumbo frames are actually working
AWS can not change DB Subnet Group for AWS RDS
Where are the default ulimits specified on OS X (10.5)?
SASL LOGIN authentication failed: UGFzc3dvcmQ6 - Find the username
How do I restart a single website in IIS7+ using commandline?
Speed up SFTP uploads on high latency network?