TLS encryption in Plesk with Postfix 2.8 and higher

Symptoms

When Postfix 2.8 or higher on submission port 587 is used as mail server some mail messages cannot be delivered to the server due to the fact that sender does not use TLS encryption and uses, for example, STARTTLS.

Cause

Since submission port is always required to be encrypted, in Plesk with Postfix 2.8 and higher versions, smtpd_tls_security_level is set to encrypt, which forces TLS encryption when communicating with the mail server. It was done to correspond with security protocol requirements.  

Resolution

Functionality when TLS encryption on port 587 is optional is not yet implemented in Plesk. 

Take part in our product improvement and vote for this feature on Plesk User Voice portal.

As workaround proceed with the following:

1. Connect to the server via SSH 
2. Open /etc/postfix/master.cf file in any text editor and change these lines from:

   CONFIG_TEXT: submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=

   to

   CONFIG_TEXT: submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=

NOTE: These changes can be overwritten by any Plesk update. Maintain the customization on your side.