How to FORCE secure authentication (over SSL or TLS) with Postfix

Discussion in 'Server Operation' started by cbj4074, Apr 10, 2012.

  1. cbj4074

    cbj4074 Member


    I am interested in forcing encrypted authentication with Postfix.

    I am aware that in some countries, public ISPs and the like are forbidden from requiring encryption where email systems are concerned. I am also aware that this practice is discouraged in certain circles.

    According to the Postfix documentation ( ), it may be useful to employ the following combination of directives. The idea is that authentication mechanisms will still be announced to older clients, and even though they won't be able to authenticate, they will receive some kind of error message. (The helpfulness of that error message is another issue altogether, as will become apparent.)

    smtpd_tls_security_level = may
    smtpd_tls_auth_only = yes
    With this configuration, attempts to send mail are rejected, with a message like the following:

    An error occurred while sending mail. The mail server responded:  5.7.1 <[XXX.XXX.XXX.XXX]>: Client host rejected: Access denied. Please check the message recipient [email protected] and try again.
    Additionally, my email client (Thunderbird) displays something like this:

    Sending of message failed.
    The message could not be sent because the connection to SMTP server was lost in the middle of the transaction. Try again or contact your network administrator.
    If I enable STARTTLS for the SMTP connection, I am able to send mail without issue.

    So far, all is well, and these are the expected results.

    If I change the security level to "encrypt", the results when attempting to connect over an unencrypted connection are slightly different:

    smtpd_tls_security_level = encrypt
    smtpd_tls_auth_only = yes
    An error occurred while sending mail. The mail server responded:  5.7.0 Must issue a STARTTLS command first.  Please verify that your email address is correct in your Mail preferences and try again.
    This message is much more useful to clients that understand how to receive it, which I appreciate.

    However, when I enable STARTTLS for the SMTP connection, mail is sent without issue, but it is always returned with the following message attached:

    <[email protected]>: host[] said: 530 5.7.0 Failed,
        id=01520-12, from MTA([]:10025): 530 5.7.0 Must issue a STARTTLS
        command first (in reply to end of DATA command)
    Is this because the local, internal connection between Postfix and Amavis is also requiring encryption, given these directives? If so, is there a simple means by which to exempt local connections from this requirement?

    The fact that the first method works without issue seems to indicate that the "smtpd_tls_auth_only = yes" directive is ignored for local connections.

    I am okay with using the first set of directives, but I would like to understand why the second does not work.

    Thanks for any help!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to set:

    smtpd_tls_security_level = encrypt
    smtpd_tls_auth_only = yes

    as options for the outgoing connections in only and not the internal connections to the spam scanner by adding it to
    paka likes this.
  3. cbj4074

    cbj4074 Member

    Thanks, Till. That makes sense.

    However, when I try to add those directives to, Postfix complains about a syntax error:

    fatal: /etc/postfix/ line 136: bad transport type: =
    in response to this line:

    smtpd_tls_security_level = encrypt
    It seems that requires a different syntax than

    Any thoughts on this?

    Thanks again!
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    There should be a line like this:

    smtp      inet  n       -       -       -       -       smtpd
    add the setting right below that line, so it looks like this:

    smtp      inet  n       -       -       -       -       smtpd
      -o smtpd_enforce_tls=yes
    and then restart postfix.
    WildcatLeeds likes this.
  5. cbj4074

    cbj4074 Member

    Beautiful; works as expected. Thanks, Till! :D

    While I'm thinking of it, do you know of any way to specify these types of directives as "user-level" configuration options for Postfix?

    The reason I ask is . I am trying to move my custom configuration options outside of ISPConfig's reach, so that reconfiguring services during upgrades poses no risk.

    Thanks again.
  6. Jugo

    Jugo New Member

    How to setup mandatory TLS but only with specific domain, all the other communication should not be encrypted. I'am using Centos 6.6, and postfix version is 2.6.6
  7. cbj4074

    cbj4074 Member


    That's an excellent question, and probably better-suited for the Postfix Mailing List. Please let us know what you discover! :)

Share This Page