Detailed information about STARTTLS configuration may be found in the TLS_README document.
smtp_tls_security_level (empty)
The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
smtp_sasl_tls_security_options ($smtp_sasl_security_options)
The SASL authentication security options that the Postfix SMTP client uses for TLS encrypted SMTP sessions.
smtp_starttls_timeout (300s)
Time limit for Postfix SMTP client write and read operations during TLS startup and shutdown handshake procedures.
smtp_tls_CAfile (empty)
A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates.
smtp_tls_CApath (empty)
Directory with PEM format certificate authority certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate.
smtp_tls_cert_file (empty)
File with the Postfix SMTP client RSA certificate in PEM format.
smtp_tls_mandatory_ciphers (medium)
The minimum TLS cipher grade that the Postfix SMTP client will use with mandatory TLS encryption.
smtp_tls_exclude_ciphers (empty)
List of ciphers or cipher types to exclude from the Postfix SMTP client cipher list at all TLS security levels.
smtp_tls_mandatory_exclude_ciphers (empty)
Additional list of ciphers or cipher types to exclude from the SMTP client cipher list at mandatory TLS security levels.
smtp_tls_dcert_file (empty)
File with the Postfix SMTP client DSA certificate in PEM format.
smtp_tls_dkey_file ($smtp_tls_dcert_file)
File with the Postfix SMTP client DSA private key in PEM format.
smtp_tls_key_file ($smtp_tls_cert_file)
File with the Postfix SMTP client RSA private key in PEM format.
smtp_tls_loglevel (0)
Enable additional Postfix SMTP client logging of TLS activity.
smtp_tls_note_starttls_offer (no)
Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server.
smtp_tls_policy_maps (empty)
Optional lookup tables with the Postfix SMTP client TLS security policy by next-hop destination; when a non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter.
smtp_tls_mandatory_protocols (SSLv3, TLSv1)
List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
smtp_tls_scert_verifydepth (9)
The verification depth for remote SMTP server certificates.
smtp_tls_secure_cert_match (nexthop, dot-nexthop)
The server certificate peername verification method for the "secure" TLS security level.
smtp_tls_session_cache_database (empty)
Name of the file containing the optional Postfix SMTP client TLS session cache.
smtp_tls_session_cache_timeout (3600s)
The expiration time of Postfix SMTP client TLS session cache information.
smtp_tls_verify_cert_match (hostname)
The server certificate peername verification method for the "verify" TLS security level.
tls_daemon_random_bytes (32)
The number of pseudo-random bytes that an smtp(8) or smtpd(8) process requests from the tlsmgr(8) server in order to seed its internal pseudo random number generator (PRNG).
tls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
The OpenSSL cipherlist for "HIGH" grade ciphers.
tls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)
The OpenSSL cipherlist for "LOW" or higher grade ciphers.
tls_export_cipherlist (ALL:+RC4:@STRENGTH)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
tls_null_cipherlist (eNULL:!aNULL)
The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption.
Available in Postfix version 2.4 and later:
smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_options)
The SASL authentication security options that the Postfix SMTP client uses for TLS encrypted SMTP sessions with a verified server certificate.
Available in Postfix version 2.5 and later:
smtp_tls_fingerprint_cert_match (empty)
List of acceptable remote SMTP server certificate fingerprints for the "fingerprint" TLS security level ( smtp_tls_security_level = fingerprint).
smtp_tls_fingerprint_digest (md5)
The message digest algorithm used to construct remote SMTP server certificate fingerprints.
Available in Postfix version 2.6 and later:
smtp_tls_protocols (!SSLv2)
List of TLS protocols that the Postfix SMTP client will exclude or include with opportunistic TLS encryption.
smtp_tls_ciphers (export)
The minimum TLS cipher grade that the Postfix SMTP client will use with opportunistic TLS encryption.
smtp_tls_eccert_file (empty)
File with the Postfix SMTP client ECDSA certificate in PEM format.
smtp_tls_eckey_file ($smtp_tls_eccert_file)
File with the Postfix SMTP client ECDSA private key in PEM format.
Available in Postfix version 2.7 and later:
smtp_tls_block_early_mail_reply (no)
Try to detect a mail hijacking attack based on a TLS protocol vulnerability (CVE-2009-3555), where an attacker prepends malicious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session.