Setting Postfix to encrypt all traffic when talking to other mailservers

Update Aug 9, 2013: The biggest German email providers are currently running a big marketing campaign and promise secure email. They are using the same technique described on this page. After checking my logs, I can confirm that GMX-emails were delivered unencrypted on Aug 5, but arrived encrypted on Aug 6.

Thanks to Mr. Snowden, we know two important facts about the world of security and email:

First, most governments in the world will eavesdrop and store your communication, if they get the chance. They don’t have a specific reason and the benefits are highly disputed.

Second, your users can’t/won’t use PGP or S/MIME to encrypt their email.

The job is left to admins. We need to maximize usability and compatibility, while ensuring that user data stays confidential. If you are running Postfix, I’d like to draw your attention to some useful settings that will protect your user’s email in transit. If emails stay on the same server or the other server is secured as well, there is little chance to intercept messages on a big scale. If your users are sending emails to Gmail or Hotmail, then interception is still possible at the receiving end.

Make Postfix encrypt messages at all stages of delivery.
Figure 1: Vulnerability of email-messages in transit.

Encrypt email at the server level

The settings I’m suggesting here only protect emails while travelling between mailservers. If your mailbox is compromised, messages can still be read. The only thing we are doing here is making sure the mailman can’t read your postcard. What you do with it after it has arrived in your inbox is up to you. The message will only be encrypted during transit.

I will assume that you have already enabled TLS-authentication to receive emails from your users. Now we will also make sure messages are encrypted when sending them to 3rd-party email servers.

First open up Postfix’s and add the following settings:

[cc lang=”bash” width=”100%” noborder=”1″ theme=”dawn”]
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

Smtpd means mails you receive from outside, smtp covers mails you send to other servers. Both settings can have three different values: none, may, encrypt. The may-option is recommended because it doesn’t lock out servers who don’t support encryption.

The two last options enable logging of encrypted connections. This is useful to verify the cipher strength and if everything is working properly.

Testing postfix encryption

Now restart Postfix and watch connections being made in mail.log. If everything works, you should see something similar as in Figure 2. Here an encrypted TLS v1.2 connection is made to Gmail using Elliptic Curve Ephemeral diffie-Hellman (ECDHE) key exchange. This should protect you, even if your private server key is compromised later.

Figure 2: Encrypted email-submission from Postfix to Gmail.
Figure 2: Encrypted email-submission from Postfix to Gmail.

We don’t know if Google will keep the email confidential, but at least it was secure while being sent. If your friends are running their own mailservers, their servers would need to be confiscated or hacked to compromise the message. For bigger mail-providers, like Gmail or Hotmail, encrypting email in transit only provides a limited benefit because they are oblidged to provide government-backdoors.