Skip to main content

Setting Postfix to encrypt all traffic when talking to other mailservers

The biggest German email providers are currently running a big marketing campaign and promise secure email. They are using the same technique described on this page. After checking my logs, I can confirm that GMX-emails were delivered unencrypted on Aug 5, but arrived encrypted on Aug 6.

Thanks to Mr. Snowden, we know two important facts about the world of security and email:
First, most governments in the world will eavesdrop and store your communication, if they get the chance. They don't have a specific reason and the benefits are highly disputed.

Second, your users can't/won't use PGP or S/MIME to encrypt their email.
The job is left to admins. We need to maximize usability and compatibility, while ensuring that user data stays confidential. If you are running Postfix, I'd like to draw your attention to some useful settings that will protect your user's email in transit. If emails stay on the same server or the other server is secured as well, there is little chance to intercept messages on a big scale. If your users are sending emails to Gmail or Hotmail, then interception is still possible at the receiving end.



Encrypt email at the server level

The settings I'm suggesting here only protect emails while travelling between mailservers. If your mailbox is compromised, messages can still be read. The only thing we are doing here is making sure the mailman can't read your postcard. What you do with it after it has arrived in your inbox is up to you. The message will only be encrypted during transit.

I will assume that you have already enabled TLS-authentication to receive emails from your users. Now we will also make sure messages are encrypted when sending them to 3rd-party email servers.
First open up Postfix's main.cf and add the following settings:

[cc lang="bash" width="100%" noborder="1" theme="dawn"]
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
[/cc]

Smtpd means mails you receive from outside, smtp covers mails you send to other servers. Both settings can have three different values: none, may, encrypt. The may-option is recommended because it doesn't lock out servers who don't support encryption.

The two last options enable logging of encrypted connections. This is useful to verify the cipher strength and if everything is working properly.

Testing postfix encryption

Now restart Postfix and watch connections being made in mail.log. If everything works, you should see something similar as in Figure 2. Here an encrypted TLS v1.2 connection is made to Gmail using Elliptic Curve Ephemeral diffie-Hellman (ECDHE) key exchange. This should protect you, even if your private server key is compromised later.


We don't know if Google will keep the email confidential, but at least it was secure while being sent. If your friends are running their own mailservers, their servers would need to be confiscated or hacked to compromise the message. For bigger mail-providers, like Gmail or Hotmail, encrypting email in transit only provides a limited benefit because they are oblidged to provide government-backdoors.

Comments

Most Popular

CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

After hosting my parent domain on CWP7.admin, I am getting dns error and i'm not able access my server using my server FQDN but i can access using my server IP.
So what can i do for that problem ?

Yes, you have to fix the error .

Environment Details:
Distro Name: CentOS Linux release 7.6.1810 (Core)
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
WebServer: Apache Only
FQDN: host.datahead.biz
IP: 192.120.10.3

1.Change Hostname Permanently:
# hostnamectl set-hostname host.datahead.biz# hostnamectl Static hostname: host.datahead.biz Icon name: computer-vm Chassis: vm Machine ID: 7400071490ea4f7d931374824ad4b52c Boot ID: 6e1f2d76495d4b318c25c4a1195aa130 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.14.4.el7.x86_64 Architecture: x86-64 It also writes this information to the /etc/hostname file as well.
# cat /etc/hostname host.d…

CWP DNS Part 2 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

7.Open Main Configuration file
# vi /etc/named.conf 12 options { 13 listen-on port 53 { any; }; 14 listen-on-v6 port 53 { ::1; }; 15 directory "/var/named"; 16 dump-file "/var/named/data/cache_dump.db"; 17 statistics-file "/var/named/data/named_stats.txt"; 18 memstatistics-file "/var/named/data/named_mem_stats.txt"; 19 recursing-file "/var/named/data/named.recursing"; 20 secroots-file "/var/named/data/named.secroots"; 21 allow-query { any; }; 33 recursion no; 34 35 dnssec-enable yes; 36 dnssec-validation yes; 54 zone "." IN { 55 type hint; 56 file "named.ca"; 57 }; 58 59 include "/etc/named.rfc1912.zones"; 60 include "/etc/named.root.key"; 61 …