Postfix Encryption

I am running latest version of VM (16 June 2016) in CentOS 7. I got DKIM, SPF & DMARC to work, however, outgoing emails are not getting encrypted.

I tried all the suggestions recommended on other posts for this issue… but couldn’t crack it.

I have enabled self signed SSL certificates for Postfix, Dovecot & ProFTP (Also tried Lets Crypt certs with same results).

I have uncommented these from /etc/postfix/

submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes

-o smtpd_reject_unlisted_recipient=no

-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

smtps is uncommented by default

smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_clien…

I have added smtpd_tls_security_level = encrypt to /etc/postfix/

/etc/postfix/ config looks like this:

virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
mailbox_size_limit = 0
allow_percent_hack = no
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
#smtpd_use_tls = yes
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = high
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Also added this according to instructions here:

sender_dependent_default_transport_maps = hash:/etc/postfix/dependent

I am testing encryption by sending emails to gmail account. My emails look like this
mailed-by: domain.tld
signed-by: domain.tld
encryption: domain.tld did not encrypt this message Learn more

Am I missing something?

Howdy – it sounds like you’re asking how to enable opportunistic encryption in outgoing emails, is that correct?

What you may want to do is edit the file, and in there, set this parameter:

smtp_tls_security_level = may

Then, restart Postfix after that. Once you do that, it should then encrypt emails when communicating with any server that supports it.

Wow it worked!

Do I still need smtpd_tls_security_level = encrypt or smtpd_use_tls = yes


Parameters beginning with “smtpd” refer to incoming requests from other servers… requests beginning with “smtp” refer to outgoing.

So all those parameters may be useful to your needs, though they’d be used in different circumstances.


Thanks for the explanation. It helped in configuring postfix!