Detailed information about STARTTLS configuration may be found in the TLS_README document.
smtpd_tls_security_level (empty)
The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls.
smtpd_sasl_tls_security_options ($smtpd_sasl_security_options)
The SASL authentication security options that the Postfix SMTP server uses for TLS encrypted SMTP sessions.
smtpd_starttls_timeout (300s)
The time limit for Postfix SMTP server write and read operations during TLS startup and shutdown handshake procedures.
smtpd_tls_CAfile (empty)
A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or intermediate CA certificates.
smtpd_tls_CApath (empty)
A directory containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or intermediate CA certificates.
smtpd_tls_always_issue_session_ids (yes)
Force the Postfix SMTP server to issue a TLS session id, even when TLS session caching is turned off (smtpd_tls_session_cache_database is empty).
smtpd_tls_ask_ccert (no)
Ask a remote SMTP client for a client certificate.
smtpd_tls_auth_only (no)
When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections.
smtpd_tls_ccert_verifydepth (9)
The verification depth for remote SMTP client certificates.
smtpd_tls_cert_file (empty)
File with the Postfix SMTP server RSA certificate in PEM format.
smtpd_tls_exclude_ciphers (empty)
List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels.
smtpd_tls_dcert_file (empty)
File with the Postfix SMTP server DSA certificate in PEM format.
smtpd_tls_dh1024_param_file (empty)
File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
smtpd_tls_dh512_param_file (empty)
File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
smtpd_tls_dkey_file ($smtpd_tls_dcert_file)
File with the Postfix SMTP server DSA private key in PEM format.
smtpd_tls_key_file ($smtpd_tls_cert_file)
File with the Postfix SMTP server RSA private key in PEM format.
smtpd_tls_loglevel (0)
Enable additional Postfix SMTP server logging of TLS activity.
smtpd_tls_mandatory_ciphers (medium)
The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption.
smtpd_tls_mandatory_exclude_ciphers (empty)
Additional list of ciphers or cipher types to exclude from the SMTP server cipher list at mandatory TLS security levels.
smtpd_tls_mandatory_protocols (SSLv3, TLSv1)
The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
smtpd_tls_received_header (no)
Request that the Postfix SMTP server produces Received: message headers that include information about the protocol and cipher used, as well as the client CommonName and client certificate issuer CommonName.
smtpd_tls_req_ccert (no)
With mandatory TLS encryption, require a trusted remote SMTP client certificate in order to allow TLS connections to proceed.
smtpd_tls_session_cache_database (empty)
Name of the file containing the optional Postfix SMTP server TLS session cache.
smtpd_tls_session_cache_timeout (3600s)
The expiration time of Postfix SMTP server TLS session cache information.
smtpd_tls_wrappermode (no)
Run the Postfix SMTP server in the non-standard "wrapper" mode, instead of using the STARTTLS command.
tls_daemon_random_bytes (32)
The number of pseudo-random bytes that an smtp(8) or smtpd(8) process requests from the tlsmgr(8) server in order to seed its internal pseudo random number generator (PRNG).
tls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
The OpenSSL cipherlist for "HIGH" grade ciphers.
tls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)
The OpenSSL cipherlist for "LOW" or higher grade ciphers.
tls_export_cipherlist (ALL:+RC4:@STRENGTH)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
tls_null_cipherlist (eNULL:!aNULL)
The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption.
Available in Postfix version 2.5 and later:
smtpd_tls_fingerprint_digest (md5)
The message digest algorithm used to construct client-certificate fingerprints for check_ccert_access and permit_tls_clientcerts.
Available in Postfix version 2.6 and later:
smtpd_tls_protocols (empty)
List of TLS protocols that the Postfix SMTP server will exclude or include with opportunistic TLS encryption.
smtpd_tls_ciphers (export)
The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic TLS encryption.
smtpd_tls_eccert_file (empty)
File with the Postfix SMTP server ECDSA certificate in PEM format.
smtpd_tls_eckey_file ($smtpd_tls_eccert_file)
File with the Postfix SMTP server ECDSA private key in PEM format.
smtpd_tls_eecdh_grade (see 'postconf -d' output)
The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange.
tls_eecdh_strong_curve (prime256v1)
The elliptic curve used by the SMTP server for sensibly strong ephemeral ECDH key exchange.
tls_eecdh_ultra_curve (secp384r1)
The elliptic curve used by the SMTP server for maximally strong ephemeral ECDH key exchange.