Postfix/TLS - Introduction

Postfix/TLS is an extension of the Postfix [POSTFIX] MTA software to support the TLS protocol.

A note about the start of the project

When I started writing this software, I had a sophisitcated way to allow relaying for roaming users in mind. In the meantime, this project is living on its own.

RFC2246: The TLS (former SSL) protocol

By default all communication on the Internet is done without encryption and without stong authentication. That does mean that everybody with physical access to the communication line along which a network packet will travel can eavesdrop on your communication. Even worse, it might be possible to redirect or alter your communication so that information, that you want to send to a party can be lost or changed without your notice.

In order to solve these security issues, the SSL protocol (Secure Socket Layers) was introduced by Netscape, Inc., which now has evolved into the standarized TLS protocol (Transportation Layer Security) as RFC2246. It offers both encryption of the communication (stopping eavesdropping) and strong authentication (making sure that both parties of a communication are correctly identified and that the communication cannot be altered).

Postfix/TLS does not realize the TLS protocol itself; it rather uses the OpenSSL package [OPENSSL] for this task. At the OpenSSL WWW-site you can also find links to in-depth documentation of the protocol and its features, so that it is not necessary to included them here. (And, of course, there is no use of re-writing what other people already wrote down, it just introduces additional errors.)

RFC2487: Introducing TLS to SMTP

The integration of the TLS protocol to Internet mail, SMTP (Simple Mail Transport Protocol) is described in RFC2487.

Unlike the first incarnations of SSL as a wrapper around normal network communications [STUNNEL] [JONAMA], the TLS protocol is now completely integrated into the ESMTP: during the startup negotiation (EHLO) the server offers the support of TLS by advertising the STARTTLS feature. The client can now send the STARTTLS command to do authentication and switch to encrypted communication.

Postfix/TLS: what can it do for you

The list of features presented here should be understood as a list of ideas. Not all of them are realized yet, please see the notes at each feature.

Postfix/TLS: what it cannot do for you

There is one thing that I explicitly want to point out:

Other OpenSource packages

Frederik Vermeulen has realized an RFC2487 extension [QMAILTLS] for the Qmail [QMAIL] MTA.

Matti Aarnio is working on the server side of RFC2487 for ZMailer [