MBF Knowledge Base

How do I restrict the TLS protocols used for incoming and outgoing connections in Postfix?

This feature is available in Postfix 2.3 and later, but should only be used if deemed necessary.

With "smtpd_tls_security_level = may" and "smtp_tls_security_level = may" set in /etc/postfix/main.cf, support for TLS is announced to remote SMTP clients, but does not require those clients to use TLS encryption. Available TLS protocols are specified in the "smtpd_tls_mandatory_protocols" and "smtp_tls_mandatory_protocols" configuration parameters. These parameters control the SSL/TLS protocols used with opportunistic TLS.

You can enforce the use of TLS such that no mail will be sent or received without TLS encryption by setting "smtpd_tls_security_level = encrypt" and "smtp_tls_security_level = encrypt".
However, according to RFC 2487, "A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally."

Because RFC compliant mail servers should not enforce the use of TLS, mail will usually be received and sent with opportunistic TLS. Therefore restricting the protocols available for use can create interoperability problems, or result in mail being sent in cleartext without any form of TLS.

The following can be used to restrict which TLS protocols are used, assuming the circumstances require it. The recommended syntax is to exclude unwanted protocols, below is an example of doing so in /etc/postfix/main.cf,

# Outgoing connections:
    smtp_tls_security_level  = may
    smtp_tls_mandatory_protocols  = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
    smtp_tls_protocols            = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1


# Incoming connections:
    smtpd_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
    smtpd_tls_protocols           = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1