Enforcing STARTTLS on submission port 587

-
Welcome file

The following settings will enable opportunistic TLS for inbound connections on default smtp port(25).

smtpd_tls_security_level = may

You can enforce STARTTLS on submission port e.g 587 by editing /etc/postfix/master.cf

submission inet n       -       n       -       -       smtpd -o smtpd_tls_security_level=encrypt

This will enforce STARTTLS on port 587.

Note:

  • You would also need to first generate self signed or intermediate certificate to enable inbound TLS in Postfix.

Comments

Post a Comment

Popular posts from this blog

How to include Gmail's Feedback-ID header in DKIM signature

-
article1 Feedback-ID is an additional header required by Gmail Feedback Loop to see aggregated data in Google Postmaster tools . Gmail requires it to include in DKIM-Signature. The following guide explains how it can be configured in OpenDKIM : Edit opendkim.conf vim /etc/opendkim.conf Add the following line : SignHeaders Feedback-ID Reload openkdim : systemctl reload opendkim.service Reload postfix : systemctl reload postfix.service Send a test email with swaks to gmail : swaks --from postmaster@postfix.io --to xxxx@gmail.com --h-Feedback-ID 123:asd:123 --server 127.0.0.1:25 My test mail results : Authentication-Results: mx.google.com;dkim=pass header.i=@postfix.io header.s=key1 header.b=oY1NVInb;spf=pass (google.com: domain of postmaster@postfix.io designates 45.55.57.182 as permitted sender) smtp.mailfrom=postmaster@postfix.io;dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=postfix.io Date: Sun, 12 Nov 2017 11:04:42 +0000 DKIM-Signature: v=1...
Read more

StatusDnsQueryFailed resolving domain

-
Welcome file If you are seeing the following error in PowerMTA or Postfix logs : StatusDnsQueryFailed resolving domain It’s likely caused by 3 reasons : The requested domain does not exist. It doesn’t have neither MX nor A record. The upstream DNS provider is throttling excessive queries from your mail server. You are hitting bandwidth limits on either WAN(if the dns resolver request is going out via internet interface). As always, i highly recommend to use dedicated recursive DNS server on LAN for your mailing infrastructure or use unthrottled upstream DNS resolver.
Read more