Last updated: 2026-02-11

Postfix TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Postfix, a widely used SMTP mail server. Postfix has two TLS roles: as a server receiving mail (SMTPD) and as a client sending mail (SMTP). Both need to be configured separately.

Prerequisites

• Postfix 3.4 or later (3.6+ recommended for simplified protocol syntax)
• OpenSSL 1.1.1 or later
• A valid SSL/TLS certificate from a trusted CA

Certificate Configuration

smtpd_tls_cert_file = /etc/postfix/ssl/fullchain.pem
smtpd_tls_key_file = /etc/postfix/ssl/privkey.pem

Server (SMTPD) TLS Configuration

These settings control how Postfix handles incoming SMTP connections.

Enable TLS

smtpd_tls_security_level = may

• may -- Announce STARTTLS and use it if the sending server supports it, but don't require it (recommended for a public MX server)
• encrypt -- Require TLS for all incoming connections (only suitable for submission ports or private relays, not for public MX)

For a public-facing MX server, use may. Requiring encryption will reject mail from servers that don't support TLS, causing legitimate email to bounce.

Protocol Versions

For Postfix 3.6+:

smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = >=TLSv1.2

For Postfix before 3.6 (3.3 through 3.5):

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

• smtpd_tls_mandatory_protocols applies when smtpd_tls_security_level = encrypt.
• smtpd_tls_protocols applies when smtpd_tls_security_level = may (opportunistic TLS).

Cipher Settings

smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

Postfix uses cipher grade levels (high, medium, low) which map to configurable cipher lists. Setting smtpd_tls_mandatory_ciphers = medium and defining tls_medium_cipherlist gives you direct control.

Session Cache

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s

Logging

smtpd_tls_loglevel = 1

Set to 1 to log TLS connection summaries, or 2 for detailed negotiation information (useful for debugging).

Client (SMTP) TLS Configuration

These settings control how Postfix connects to other mail servers when sending outbound mail.

Enable TLS

smtp_tls_security_level = may

• may -- Use TLS if the receiving server supports it (recommended for general delivery)
• encrypt -- Require TLS for all outbound connections (may cause delivery failures)
• dane -- Use DNS-based Authentication of Named Entities to verify server certificates (recommended if your DNS resolver supports DNSSEC)

Protocol Versions

For Postfix 3.6+:

smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_protocols = >=TLSv1.2

For Postfix before 3.6 (3.3 through 3.5):

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Cipher Settings

smtp_tls_mandatory_ciphers = medium

The tls_medium_cipherlist setting defined above applies to both SMTPD and SMTP.

Session Cache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s

DANE Support

DANE (DNS-Based Authentication of Named Entities) uses TLSA DNS records to verify server certificates without relying on certificate authorities. If your DNS resolver validates DNSSEC:

smtp_tls_security_level = dane
smtp_dns_support_level = dnssec

Submission Port (587)

For authenticated email submission from mail clients, configure a separate submission service in master.cf with mandatory TLS:

submission inet n - n - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

Complete Configuration

In main.cf:

# Certificate files
smtpd_tls_cert_file = /etc/postfix/ssl/fullchain.pem
smtpd_tls_key_file = /etc/postfix/ssl/privkey.pem

# Server TLS (receiving mail)
smtpd_tls_security_level = may
# >=TLSv1.2 syntax requires Postfix 3.6+
# On Postfix before 3.6 (e.g., RHEL 8 ships 3.3, Debian 11 ships 3.5, SLES 15 ships 3.4-3.5), use instead:
#   smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#   smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_loglevel = 1

# Client TLS (sending mail)
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
# >=TLSv1.2 syntax requires Postfix 3.6+
# On Postfix 3.4/3.5, use instead:
#   smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#   smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_protocols = >=TLSv1.2
smtp_tls_mandatory_ciphers = medium
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_loglevel = 1

# Cipher list (applies to both server and client)
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

# Enforce server cipher preference (all Postfix versions; aliased as tls_server_cipher_preference in 3.6+)
tls_preempt_cipherlist = yes

Verification

Reload Postfix and verify the configuration:

postfix check
systemctl reload postfix

Test inbound TLS by sending a test message and checking the headers. You should see a Received: header with TLS information.

Test outbound TLS:

postfix/smtp[1234]: Trusted TLS connection established to mx.example.com[192.0.2.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384

Check the Postfix TLS log:

postlog -t postfix/smtp | grep TLS

Test your MX server's TLS configuration at https://www.checktls.com/ or https://ssl-tools.net/mailservers.