Postfix Gmail – Solve unencrypted mail which is not secure

To transform this:

Into this:

We need to configure our Postfix service with TLS.

1 Get your free Letsencrypt certificate:

certbot certonly --standalone -d mail.example.com

2 Configure Postfix with following commands:

sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live//fullchain.pem'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live//privkey.pem'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'

3 Edit /etc/postfix/master.cf, uncomment following lines:

submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

Optional, create or update your mail redirection

1 Edit /etc/postfix/virtual and add your redirections as follows:

account@your.domain your_mail@gmail.com

Note: You can use no mailbox definition to match any mailbox of target domain:

@your.domain your_mail@gmail.com

Any mail to any ‘account’ in your domain will be redirected to your_mail inbox at gmail.

2 Launch following command to translate /etc/postfix/virtual into a hashmap for Postfix:

postmap /etc/postfix/virtual

3 Configure Postfix account redirection with:

postconf -e 'virtual_alias_domains = your.domain'
postconf -e 'virtual_alias_maps = hash:/etc/postfix/virtual'

Ready to test it?

As always, after configure the service, restart it!

service postfix restart

Want to see what’s going up with your service while you’re testing, track the log:

tail -f /var/log/maillog

If you see something like this:

Jan 20 23:34:18 coddns postfix/smtpd[14690]: connect from mail-lj1-f172.google.com[209.85.208.172]
Jan 20 23:34:18 coddns postfix/smtpd[14690]: Anonymous TLS connection established from mail-lj1-f172.google.com[209.85.208.172]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jan 20 23:34:18 coddns postfix/smtpd[14690]: 6BB0627A4E7: client=mail-lj1-f172.google.com[209.85.208.172]
Jan 20 23:34:18 coddns postfix/cleanup[14694]: 6BB0627A4E7: message-id=<XXXXXXXXXXXXXXXXXXXXXXXXX@mail.gmail.com>
Jan 20 23:34:18 coddns postfix/qmgr[4908]: 6BB0627A4E7: from=<XXXXXX@gmail.com>, size=5266, nrcpt=1 (queue active)
Jan 20 23:34:18 coddns postfix/smtpd[14690]: disconnect from mail-lj1-f172.google.com[209.85.208.172]
Jan 20 23:34:18 coddns postfix/smtp[14695]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.206.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jan 20 23:34:18 coddns postfix/smtp[14695]: 6BB0627A4E7: to=<YYYYYYYY@gmail.com>, orig_to=<XXXXX@your.domain>, relay=gmail-smtp-in.l.google.com[74.125.206.26]:25, delay=0.5, delays=0.1/0.01/0.19/0.2, dsn=2.0.0, status=sent (250 2.0.0 OK  1579559658 x17si33087706wrr.148 - gsmtp)
Jan 20 23:34:18 coddns postfix/qmgr[4908]: 6BB0627A4E7: removed

If you can see the response status=sent… Then you got it!