How do I configure TLS encryption for sending?

TLS encryption protects email content during transmission between servers. Configuring it properly ensures secure delivery without breaking compatibility.

In Postfix, enable outbound TLS with:

smtp_tls_security_level = may (opportunistic: encrypt if possible)

smtp_tls_security_level = encrypt (mandatory: require TLS or fail)

For inbound TLS (receiving mail):

smtpd_tls_cert_file = /path/to/cert.pem

smtpd_tls_key_file = /path/to/key.pem

smtpd_tls_security_level = may

Set minimum protocol versions to disable outdated, insecure protocols:

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Opportunistic TLS (security_level = may) is the standard for email. It attempts encryption but falls back to plaintext if the recipient server doesn't support TLS. This maximizes deliverability while encrypting when possible.

Mandatory TLS should only be used for specific destinations where you've confirmed TLS support, as it will reject delivery to servers without TLS.