Turn on TLS on your Postfix email server

So, as someone who runs their own mail server, one of the things I kept noticing was that when sending to GMail, the message arrived, however, there was a red padlock with a cross through it and the message “No encryption”:

From reading about it, GMail turned on the warning message for all servers that didn’t use TLS when sending.

This was a surprise to me as I had thought that TLS was already enabled on the server. It turned out that the encryption was enabled on the “incoming” connection from the mail client, but not for any “upstream” message sending (i.e. when my server is initiating the SMTP protocol).

After a bit of research, I came upon these two links in the Postfix documentation:

http://www.postfix.org/postconf.5.html#smtp_tls_security_level

http://www.postfix.org/TLS_README.html

The key configuration line is:

smtp_tls_security_level = may

Which is a single line in the configuration that turns on “opportunistic TLS”, where “opportunistic” means that our server will encrypt the connection as long as the recipient server supports TLS, as per the documentation:

The SMTP transaction is encrypted if the STARTTLS ESMTP feature is supported by the server. Otherwise, messages are sent in the clear

You can also define a table where you specify encryption settings on a “per recipient domain/server” level (e.g. to say to always use encryption for GMail, but for all others to use opportunistic encryption).

So, after setting the above configuration and reloading the configuration, you can run the test again and verify that the padlock and encryption warning are no longer present.