Last updated: 2026-02-11
Postfix TLS/SSL Configuration Guide
This guide provides recommended TLS/SSL settings for Postfix, a widely used SMTP mail server. Postfix has two TLS roles: as a server receiving mail (SMTPD) and as a client sending mail (SMTP). Both need to be configured separately.
Prerequisites
- Postfix 3.4 or later (3.6+ recommended for simplified protocol syntax)
- OpenSSL 1.1.1 or later
- A valid SSL/TLS certificate from a trusted CA
Certificate Configuration
smtpd_tls_cert_file = /etc/postfix/ssl/fullchain.pem
smtpd_tls_key_file = /etc/postfix/ssl/privkey.pem
Server (SMTPD) TLS Configuration
These settings control how Postfix handles incoming SMTP connections.
Enable TLS
smtpd_tls_security_level = may
- may -- Announce STARTTLS and use it if the sending server supports it, but don't require it (recommended for a public MX server)
- encrypt -- Require TLS for all incoming connections (only suitable for submission ports or private relays, not for public MX)
For a public-facing MX server, use
may. Requiring encryption will reject mail from servers that don't support TLS, causing legitimate email to bounce.
Protocol Versions
For Postfix 3.6+:
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = >=TLSv1.2
For Postfix before 3.6 (3.3 through 3.5):
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
- smtpd_tls_mandatory_protocols applies when
smtpd_tls_security_level = encrypt. - smtpd_tls_protocols applies when
smtpd_tls_security_level = may(opportunistic TLS).
Cipher Settings
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Postfix uses cipher grade levels (high, medium, low) which map to configurable cipher lists. Setting smtpd_tls_mandatory_ciphers = medium and defining tls_medium_cipherlist gives you direct control.
Session Cache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
Logging
smtpd_tls_loglevel = 1
Set to 1 to log TLS connection summaries, or 2 for detailed negotiation information (useful for debugging).
Client (SMTP) TLS Configuration
These settings control how Postfix connects to other mail servers when sending outbound mail.
Enable TLS
smtp_tls_security_level = may
- may -- Use TLS if the receiving server supports it (recommended for general delivery)
- encrypt -- Require TLS for all outbound connections (may cause delivery failures)
- dane -- Use DNS-based Authentication of Named Entities to verify server certificates (recommended if your DNS resolver supports DNSSEC)
Protocol Versions
For Postfix 3.6+:
smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_protocols = >=TLSv1.2
For Postfix before 3.6 (3.3 through 3.5):
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
Cipher Settings
smtp_tls_mandatory_ciphers = medium
The tls_medium_cipherlist setting defined above applies to both SMTPD and SMTP.
Session Cache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
DANE Support
DANE (DNS-Based Authentication of Named Entities) uses TLSA DNS records to verify server certificates without relying on certificate authorities. If your DNS resolver validates DNSSEC:
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
Submission Port (587)
For authenticated email submission from mail clients, configure a separate submission service in master.cf with mandatory TLS:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
Complete Configuration
In main.cf:
# Certificate files
smtpd_tls_cert_file = /etc/postfix/ssl/fullchain.pem
smtpd_tls_key_file = /etc/postfix/ssl/privkey.pem
# Server TLS (receiving mail)
smtpd_tls_security_level = may
# >=TLSv1.2 syntax requires Postfix 3.6+
# On Postfix before 3.6 (e.g., RHEL 8 ships 3.3, Debian 11 ships 3.5, SLES 15 ships 3.4-3.5), use instead:
# smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_loglevel = 1
# Client TLS (sending mail)
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
# >=TLSv1.2 syntax requires Postfix 3.6+
# On Postfix 3.4/3.5, use instead:
# smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_protocols = >=TLSv1.2
smtp_tls_mandatory_ciphers = medium
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_loglevel = 1
# Cipher list (applies to both server and client)
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
# Enforce server cipher preference (all Postfix versions; aliased as tls_server_cipher_preference in 3.6+)
tls_preempt_cipherlist = yes
Verification
Reload Postfix and verify the configuration:
postfix check
systemctl reload postfix
Test inbound TLS by sending a test message and checking the headers. You should see a Received: header with TLS information.
Test outbound TLS:
postfix/smtp[1234]: Trusted TLS connection established to mx.example.com[192.0.2.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
Check the Postfix TLS log:
postlog -t postfix/smtp | grep TLS
Test your MX server's TLS configuration with the Mr.DNS SSL/TLS Certificate Check (port 25 for STARTTLS, 465 for implicit TLS).
Verify SPF, DKIM, and DMARC alignment for the sending domain with the Mr.DNS Email Authentication Health Check.