How to verify if my postfix uses really TLS to send outgoing mails?

I successfully installed Postfix on my VPS. I would like to send encrypted email. I installed all certificates and private keys and set my conf file:

smtpd_tls_key_file = <path to my private key>
smtpd_tls_cert_file = <path to my cert file>
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
smtpd_tls_security_level = encrypt

But I do not know what else to do. I mean, how can I check that my emails are being encrypted? I use the php mail() function to send outgoing mails.


Solution 1:

When postfix sends email to other server then postfix will act as SMTP client. Therefore the you need to refer to related document about SMTP client and TLS.

To activate TLS encryption feature for postfix SMTP client, you need to put this line in main.cf

smtp_tls_security_level = may

It will put postfix SMTP client into Opportunistic-TLS-mode, i.e. SMTP transaction is encrypted if the STARTTLS ESMTP feature is supported by the server. Otherwise, messages are sent in the clear.

To find out whether SMTP transaction is encrypted or not, increase smtp_tls_loglevel to 1

smtp_tls_loglevel = 1

With this config, postfix will has log line like this SMTP transaction is encrypted.

postfix-2nd/smtp[66563]: Trusted TLS connection established to gmail-smtp-in.l.google.com[74.125.200.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

When you're finished editing the config file, then remember to execute:

postfix reload

To make the changes take effect.


Note: Your config above only cover Postfix SMTP server smtpd, a daemon used to receive email.

Solution 2:

It seems you want to send normal, unencrypted email over a secure, encrypted / authenticated connection.

I means: how can check if my smtp server is really talking to let say gmail via TLS channel?

Here you say you want to verify that connections made to your MTA really are using your encrypted means of communication.

That question has been answered here: https://security.stackexchange.com/questions/58857/test-starttls-configuration-of-smtp-server

For example: https://www.checktls.com/tests.html