What’s the difference between opportunistic and enforced TLS?

• Opportunistic TLS and enforced TLS represent different approaches to securing email transmission.
• Opportunistic TLS (the default for most email):
• Server attempts TLS encryption when connecting to another server
• If the receiving server supports TLS, the connection is encrypted
• If TLS fails or isn't supported, delivery continues unencrypted
• Maximizes deliverability; accepts security tradeoff
• Configuration: smtp_tls_security_level = may (Postfix)
• Enforced TLS:
• Requires TLS for the connection
• If TLS isn't available or fails, delivery fails
• Guarantees encryption but may prevent legitimate delivery
• Used for specific high-security routes
• Configuration: smtp_tls_security_level = encrypt (Postfix)
• When to use which:

Opportunistic: General email delivery. Most servers support TLS now, so most mail encrypts, but delivery isn't blocked to the minority that don't.

Enforced: When you absolutely require encryption and would rather fail than send unencrypted. Specific partner connections, regulated communications, or internal routes.

Email between major providers (Gmail, Microsoft, Yahoo) uses TLS. The challenge is smaller servers that may not support it. Opportunistic TLS handles this gracefully.