postfix: outgoing eMails encrypted

It always makes sense to encrypt e-mail communication, especially when you are on the move and you are accessing or writing e-mails in WLAN environments. Because there is usually an unknown person lurking here, who records the communication in plain text.

With simple settings in the email program or smartphone you can activate the encrypted connection. So the connection from the email program to the email server is encrypted and secure.

However, the connections between the mail servers of the sender and recipient are then problematic. These are usually transmitted unencrypted, since they are servers in a secure environment. Of course it is then possible to copy and eavesdrop on the e-mail traffic.

You should give your Postfix mail servers at least give the possibility to use the Data if possible encrypted.

If you find entries in your maillog like:

certificate verification failed for gmail-smtp-in.l.google.com

Then your Postfix is not able to Certificate in order to encrypt the data.

With a small change in the main.cf file you can activate this.

For this purpose, the ca-certificates must be installed on the server. For redhat and centos this is described in the package ca-certificates
The bundled files can be found here: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem at centos7 You should have your own certificate and save it in /etc/postfix/postfix_default.pem together with the key and root crt.

Now enter these commands:

postconf -e smtp_tls_security_level=may
postconf -e smtp_tls_cert_file=/etc/postfix/postfix_default.pem
postconf -e smtp_tls_key_file=/etc/postfix/postfix_default.pem
postconf -e smtp_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
postconf -e smtp_tls_mandatory_exclude_ciphers='aNULL, DES, RC4, MD5'.

postconf -e smtpd_tls_security_level=may
postconf -e smtpd_tls_key_file=/etc/postfix/postfix_default.pem
postconf -e smtpd_tls_cert_file=/etc/postfix/postfix_default.pem
postconf -e smtpd_tls_mandatory_protocols='!SSLv2, !SSLv3'
postconf -e smtpd_tls_protocols='!SSLv2, !SSLv3'
postconf -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_mandatory_exclude_ciphers='aNULL, DES, RC4, MD5'.
postconf -e tls_high_cipherlist='EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

From now on postfix encrypts to other servers that offer this.

But make sure that the options:

This option is advertised by some providers in TV commercials as a secure e-mail delivery. Please note that this is of course only a transport encryption, i.e. the path between the two mail servers. The email itself is again stored in plain text on the email server of the recipient.