I've been working on securing my postfix configuration to enforce
certificate validation and encryption on some known, higher-volume, or
more sensitive connections between
servers (port 25).
On many of the connections I've setup for secure transport there have
been no problems (assuming proper TLS certificates are used).
Unfortunately Gmail™ has been a problem. Sometimes it verifies and
validates the certificate and other times it doesn't... for days.
After conferring with Google Security I believe I've come up with a
solution. In my tls_policy
I've added the following:
gmail.com secure match=.google.com:google.com ciphers=high
So far this is working[STRIKEOUT:but I'll continue to test].
If you run your own SMTP server and wish to maintain a secure connection
with Gmail this is an easy way to enforce encryption as well as validate
the certificate. Of course this doesn't protect the message while it's
being stored on the server or workstation (or on Google's internal
To protect messages at rest (on a server) one should use
S/MIME. Using both TLS over
the network between servers and GPG or S/MIME is beneficial to provide
protection of the messages going over the Internet.
[STRIKEOUT:This configuration is applicable with the OpenSSL version shipped with CentOS 6/RHEL 6. Implementing this on CentOS 7/RHEL7 or another flavor of Linux may require a different/better configuration.]
The policy has been updated for CentOS 7/RHEL 7 which supports TLSv1.2 on Postfix. Other services can also be setup similarly:
google.com secure ciphers=high protocols=TLSv1.2
comcast.net secure ciphers=high protocols=TLSv1.2
verizon.net secure ciphers=high protocols=TLSv1.2
hotmail.com secure ciphers=high protocols=TLSv1.2