StartTLS for Opportunistic Email Encryption with Postfix
Out of dateThis document was written in 2002. Since then, the features it discusses have moved into Postfix, including important improvements to forward secrecy. You should look to TLS Forward Secrecy in Postfix at postfix.org for up to date advice.
Archived contentLots and lots of sites use StartTLS for encrypting local email, usually so that they can hide passwords when SMTP auth is used. But, StartTLS also gives you the ability to opportunisticly encrypt mail as it heads across the Internet. This document builds on Patrick Koetter's STMTP/StartTLS docs, and starts at the end of #15, where he says "That's it. Your done. Have fun." Speaking of having fun, this page has now been translated into a number of languages:
Pre-conditions: Have postfix installed and running. Have StartTLS
going when postfix is a server.
Now, this is really easy. Let me simply offer up the relevant
bits of my postfix main.cf:
The second two are the same values as my
If everything has worked as planned, your mail recieved headers will get better, looking something like this:
Received: from Alice (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by Bob (Postfix) with ESMTP id CC7593008F for <email@example.com>; Wed, 2 Oct 2002 15:20:39 -0400 (EDT)
If everything is not working as planned, turn up your log levels. Odds are good you're already trading mail with people using starttls.
And that's it. You're done. Have fun.
I also want to draw attention to The Postfix/TLS site and documentation for the config file, which I had trouble finding.