Why is TLS is enforced on Postfix v2.2 but not required on Postfix v2.3?


2016-11-16 12:52:39 UTC


2017-08-16 16:35:59 UTC


Was this article helpful?

Have more questions?

Submit a request

Why is TLS is enforced on Postfix v2.2 but not required on Postfix v2.3?

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 10.x for Linux


Why Postfix v2.2 which shipped with Plesk has TLS enforced on submission, however Postfix v2.3 has not TLS as an obligatory option?


This behavioral difference between Postfix v2.2 and Postfix v2.3 is caused by an internal redesign of Postfix itself.

Plesk does not specifically set TLS enforcement in Postfix. TLS use is enforced by default in Postfix v2.2, and in Postfix v2.3 it is managed by a separate parameter, smtp_tls_security_level .

At the encrypted TLS security level, messages are sent only over TLS-encrypted sessions. The SMTP transaction is aborted unless the STARTTLS ESMTP feature is supported by the remote SMTP server. If no suitable servers are found, the message will be deferred. With Postfix 2.3 and later versions, mandatory TLS encryption can be configured by setting smtp_tls_security_level to encrypted mode." Even though TLS encryption is always used, mail delivery continues even if the server certificate is not trusted or bears the wrong name.

At this security level and higher levels, the mtp_tls_mandatory_protocols and smtp_tls_mandatory_ciphers configuration parameters determine the list of sufficiently secure SSL protocol versions and the minimum cipher strength. If the protocol or cipher requirements are not met, the mail transaction is aborted. The documentation for these parameters includes useful inter-operability and security guidelines.

With Postfix 2.2 and earlier versions, or when smtp_tls_security_level is set to its default (backwards compatible) empty value, the appropriate configuration settings are smtp_enforce_tls = yes and smtp_tls_enforce_peername = no . For LMTP, use the corresponding lmtp_* parameters.

Despite the potential for eliminating passive eavesdropping attacks, mandatory TLS encryption is not viable as a default security level for mail delivery to the public Internet. Most MX hosts do not support TLS at all, and some of those that do have broken implementations. On a host that delivers mail to the Internet, you should not configure mandatory TLS encryption as the default security level.

This is possible to enable mandatory TLS encryption only for specific destinations. With Postfix 2.3 and later versions, in the TLS policy table, specify the encrypt security level. With the obsolete per-site table, specify the MUST_NOPEERMATCH keyword. While the obsolete approach still works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3 and later versions should use the new TLS policy settings. http://www.postfix.org/TLS\_README.html

NOTE: The configuration parameter for setting up the TLS security level for submission service should be smtpd_tls_security_level since it configures the SMTP server (which accepts connections), while the parameter smtp_tls_security_level works for the Postfix SMTP client (e.g., to connect to remote hosts).

Please see these documentation references:



When submission service is configured to accepts connections, smtpd_tls_security_level should be used.

Additional information

KB #111283 - Plesk for Linux services logs and configuration files.

Have more questions? Submit a request
Please sign in to leave a comment.