= Postfix Encryption = Postfix handles '''encryption''' separately for sending (`smtp`) and receiving (`smtpd`) mail. <> ---- == Receiving Encrypted Mail == The basic configuration for inbound mail is: {{{ smtpd_tls_security_level = may smtpd_tls_chain_files = /etc/letsencrypt/live/mail.example.com/mail.example.com.pem smtpd_tls_wrappermode = yes }}} A looser encryption level like '''`may`''' is often appropriate because some senders may be simple and not need encryption. === Certificates Directives === The certificate file needed for the `smtpd_tls_chain_files` directive is actually the concatenation of a key and certificate. {{{ cd /etc/letsencrypt/live/mail.example.com/ && cat privkey.pem fullchain.pem > mail.example.com.pem }}} The `smtpd_tls_chain_files` option can be set to a comma- or space-delimited list of certificate files, usually referring to different algorithms. {{{ smtpd_tls_chain_files = /etc/postfix/rsakey.pem, /etc/postfix/rsacerts.pem, /etc/postfix/ecdsakey.pem, /etc/postfix/ecdsacerts.pem }}} While deprecated and discouraged, these options also exist for RSA key and certificate pairs. {{{ smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem }}} There are different named options for each algorithm, and race conditions can be hit if files are updated between reading a key and certificate pair. ---- == Sending Encrypted Mail == The basic configuration for outgoing mail is: {{{ smtp_tls_security_level = encrypt smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt }}} An aggressive encryption level like '''`encrypt`''' is appropriate here because nearly any mail server should accept [[Encryption/STARTTLS|STARTTLS]] directives. ---- CategoryRicottone