I noticed in Gmail recently they started warning when email messages weren’t encrypted in transit. When I say transit I mean when a message leaves your email server and sends to another mail server / edge server for another domain. Here is an image of what sort of message you’ll get.
Now I’m a great believer in encrypting all traffic possible so this warning message got my attention and I investigated how to enable encryption in postfix as it is the mail transfer agent (MTA) I am using. Turns out it is not so hard but of course you do require valid certificates as expected. Now I had valid certificates installed as I use them in dovecot for encrypting IMAP and SMTP connections but that is another story.
So the actual configuration required is minimal. It required modification of the postfix main.cf file.
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
You also need the location of the certificate and key file (Only Key file without a pass-phrase) with which to encrypt communication a la:
smtpd_tls_cert_file = /etc/ssl/certs/your_cert.crt
smtpd_tls_key_file = /etc/ssl/private/your_cert_key.key
Once implemented, if you tail -f the mail.log you will see when you now send or receive mail your server will always prefer to use encryption where possible. You also see a new message in Gmail:
Now not everyone are as great as Google so this is why best to set to “may”. If a server cannot talk TLS then the default to sending and receiving in plain old text. Obviously it doesn’t protect your message once the other server has it either, it becomes plain text again but it is nice to know that no-one can read your message from the wire between any two supported servers.
Manu has done a significantly better write up than me and pointed me in the right direction so credit where credit is due.