StartTLS for Opportunistic Email Encryption with Postfix
Out of dateThis document was written in 2002. Since then, the features it discusses have moved into Postfix, including important improvements to forward secrecy. You should look to TLS Forward Secrecy in Postfix at postfix.org for up to date advice.
New translations will not get a link.
Archived contentLots and lots of sites use StartTLS for encrypting local email, usually so that they can hide passwords when SMTP auth is used. But, StartTLS also gives you the ability to opportunisticly encrypt mail as it heads across the Internet. This document builds on Patrick Koetter's STMTP/StartTLS docs, and starts at the end of #15, where he says "That's it. Your done. Have fun."
Let me say a little more about how cool this is. From the user perspective: No passphrases. No public keys. No fingerprints. It roughly just works. That's a huge win. Today, I spent half a day trying to get S/MIME working. First, I upgraded mutt to the latest beta. Then I got stuck because Verisign's site doesn't work with Netscape, and Thawte's site is down for maitenance. Meanwhile, random email from people who would never bother to figure this stuff out is getting encrypted from their site to mine. And since I run my site, thats about the same trust as I get from PGP. Not quite, but much better than when people misuse the product.
Pre-conditions: Have postfix installed and running. Have StartTLS
going when postfix is a server.
Now, this is really easy. Let me simply offer up the relevant
bits of my postfix main.cf:
The second two are the same values as my
If everything has worked as planned, your mail recieved headers will get better, looking something like this:
Received: from Alice (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by Bob (Postfix) with ESMTP id CC7593008F for <email@example.com>; Wed, 2 Oct 2002 15:20:39 -0400 (EDT)
If everything is not working as planned, turn up your log levels. Odds are good you're already trading mail with people using starttls.
And that's it. You're done. Have fun.
I also want to draw attention to The Postfix/TLS site and documentation for the config file, which I had trouble finding.