Skip to main content
TLS Configuration Guide — Verify your TLS settings are secure and properly configured. Analyze Your Setup →

How do I configure TLS encryption for sending?

TLS encryption protects email content during transmission between servers. Configuring it properly ensures secure delivery without breaking compatibility.

In Postfix, enable outbound TLS with:

  • smtp_tls_security_level = may (opportunistic: encrypt if possible)
  • smtp_tls_security_level = encrypt (mandatory: require TLS or fail)

For inbound TLS (receiving mail):

  • smtpd_tls_cert_file = /path/to/cert.pem
  • smtpd_tls_key_file = /path/to/key.pem
  • smtpd_tls_security_level = may

Set minimum protocol versions to disable outdated, insecure protocols:

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Opportunistic TLS (security_level = may) is the standard for email. It attempts encryption but falls back to plaintext if the recipient server doesn't support TLS. This maximizes deliverability while encrypting when possible.

Mandatory TLS should only be used for specific destinations where you've confirmed TLS support, as it will reject delivery to servers without TLS.

Need personalized help?

Learn TLS encryption setup without breaking delivery. Open an AI assistant with your question pre-loaded — just add your details and send.

ChatGPT Claude Gemini Perplexity

Last updated: