Postfix helper for mandatory TLS
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Build Status

Postfix helper script that does the following:

  • make TLS mandatory for outgoing mail wherever possible and
  • optionally alert postmasters of domains that don't support STARTTLS

In case of bugs, ideas, enhancements, feel free to open an issue or pull request on Github.


  • Set Postfix SMTP client logging (configuration option smtp_tls_loglevel) to '1' or higher.
  • Ensure that Python (2.7) is installed.
  • Copy the script to your mail system (e.g. to /usr/local/bin/) and make executable.
  • Make sure that the script can write to Postfix TLS policy map and notls SQLite DB and that the directories exist.

Postfix TLS policy map Configuration

  • Configure the Postfix TLS policy map in

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

Running the script

  • Run -h and learn about the commandline options.
  • Optionally configure logrotate to run the script automatically against the mail log file just after rotation. This can be done by configuring a post-script in the corresponding logrotate configure include (e.g. /etc/logrotate.d/rsyslog):
		/usr/local/bin/ -d


  • munin: see the documentation header of munin-plugin


  • 2018-07-18: version 0.9.0
    • added monitoring of mails sent over Tor
    • added reporting of blocked domains, because of missing TLS
    • added munin plugin
    • added tests
    • improved file handling
    • improved Python 3 compatibility
  • 2017-11-11: version 0.8.1
    • fix version number and update todo list in the script
  • 2017-11-11: version 0.8.0
    • restructured code, swap out all postfix related code into separate functions.
    • added new data structure 'relayDict' which can be filled by any mta specific functions
    • simplified the logic for parsing postfix logs
    • added IPv6 localhost address ::1 to relay whitlist
    • TLS domains are deleted from SQLite DB now
    • fixed calculated numbers of unencrypted mails
  • 2017-06-04: version 0.7.3
    • add support for a relay whitelist
  • 2017-06-04: version 0.7.2
    • set envelope sender address to op['from'] when using sendmail.
  • 2017-05-18: version 0.7.1
    • don't send alert mails by default (Fixes #6)
    • consequently replace commandline options '-A'/'--no-alerts' by '-a'/'--alerts'.
  • 2017-02-19: version 0.7
    • renamed to mail-tls-helper
    • complete rewrite in Python
    • fixed logfile parsing logic, much more robust now
    • added support for commandline arguments
    • added support to create a Postfix TLS policy map
  • 2017-01-22: version 0.5
    • initial release