postfix opportunistic TLS encryption for outgoing server mail

enable by default on initial installs postfix opportunistic TLS encryption for outgoing server emails as per http://www.postfix.org/TLS_README.html#client_tls_may for existing users they can implement this via SSH command line using the following commands where first command checks current default postfix values which usually is empty and the last command checks the customised postfix config settings after postconf -d smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database postconf -e 'smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt' postconf -e 'smtp_tls_security_level = may' postconf -e 'smtp_tls_loglevel = 1' postconf -e 'smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache' service postfix reload postconf -n smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database
centminmod · Sep 14, 2015 · e3ef1e5 · e3ef1e5
1 parent 3aebc52
commit e3ef1e5
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/inc/postfix.inc b/inc/postfix.inc
@@ -67,6 +67,20 @@ postconf -n | grep '^smtpd_tls_mandatory_exclude_ciphers'
 # postconf -e 'smtpd_tls_dh1024_param_file = /path/to/dhparams.pem'
 # postconf -n | grep '^smtpd_tls_dh1024_param_file'
 
+# setup Postfix Opportunistic TLS connections for outgoing emails from server
+# http://www.postfix.org/TLS_README.html#client_tls_may
+# With opportunistic TLS, mail delivery continues even if the server certificate is untrusted or bears the wrong name. 
+# When the TLS handshake fails for an opportunistic TLS session, rather than give up on mail delivery, the Postfix 
+# SMTP client retries the transaction with TLS disabled. Trying an unencrypted connection makes it possible to 
+# deliver mail to sites with non-interoperable server TLS implementations.
+postconf -d smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database
+postconf -e 'smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt'
+postconf -e 'smtp_tls_security_level = may'
+postconf -e 'smtp_tls_loglevel = 1'
+postconf -e 'smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache'
+service postfix reload
+postconf -n smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database
+
 cmservice postfix restart
 postconf -n | grep mailbox_size_limit | head -n1 | awk '{print $3}'