How to verify if my postfix uses really TLS to send outgoing mails?

Question

I successfully installed Postfix on my VPS. I would like to send encrypted email. I installed all certificates and private keys and set my conf file:

smtpd_tls_key_file = <path to my private key>
smtpd_tls_cert_file = <path to my cert file>
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
smtpd_tls_security_level = encrypt

But I do not know what else to do. I mean, how can I check that my emails are being encrypted? I use the php mail() function to send outgoing mails.

Do you want to encrypt the connection to your mailserver (which you have set up) and/or encrypt the actual body of the emails? It seems you have done the former, but that's only half the job if you want to encrypt the actual emails. Look into S/Mime and PGP/GPG for that part. See this useful blog post too: https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/ — JayMcTee, Jun 18 '15 at 10:17
Uhm.. I means: how can check if my smtp server is really talking to let say gmail via TLS channel? — gdm, Jun 18 '15 at 12:27
@JayMcTee He is using probably a local postfix install to send outgoing mails, although he had to mention that. — peterh, Jun 23 '15 at 22:06

score 25 · Accepted Answer · edited Mar 02 '17 at 01:28

When postfix sends email to other server then postfix will act as SMTP client. Therefore the you need to refer to related document about SMTP client and TLS.

To activate TLS encryption feature for postfix SMTP client, you need to put this line in main.cf

smtp_tls_security_level = may

It will put postfix SMTP client into Opportunistic-TLS-mode, i.e. SMTP transaction is encrypted if the STARTTLS ESMTP feature is supported by the server. Otherwise, messages are sent in the clear.

To find out whether SMTP transaction is encrypted or not, increase smtp_tls_loglevel to 1

smtp_tls_loglevel = 1

With this config, postfix will has log line like this SMTP transaction is encrypted.

postfix-2nd/smtp[66563]: Trusted TLS connection established to gmail-smtp-in.l.google.com[74.125.200.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

When you're finished editing the config file, then remember to execute:

postfix reload

To make the changes take effect.

Note: Your config above only cover Postfix SMTP server smtpd, a daemon used to receive email.

Should `smtpd_tls_security_level = may`?? not `smtp_tls_security_level`. — kittygirl, Feb 09 '19 at 02:29
@kittygirl Postfix uses prefix `smtpd_` for options regarding the incomming traffic and `smtp_` for options regarding the outgoing traffic. — 71GA, Dec 22 '20 at 08:08

score 2 · Answer 2 · edited Mar 17 '17 at 10:46

It seems you want to send normal, unencrypted email over a secure, encrypted / authenticated connection.

I means: how can check if my smtp server is really talking to let say gmail via TLS channel?

Here you say you want to verify that connections made to your MTA really are using your encrypted means of communication.

That question has been answered here: https://security.stackexchange.com/questions/58857/test-starttls-configuration-of-smtp-server

For example: https://www.checktls.com/tests.html

How to verify if my postfix uses really TLS to send outgoing mails?

2 Answers2