Is my connection to my Postfix server encrypted?

Question

I would like to use my Thunderbird client to send mails trough my Postfix server running on port 25 (SMTP).

I would like an authenticated and encrypted connection.

I followed these documentations:

• http://www.postfix.org/SASL_README.html#auxprop_sasldb
• https://wiki.debian.org/PostfixAndSASL#Using_auxprop_with_sasldb

It's easy to configure:

$ sudo apt install libsasl2-modules sasl2-bin
$ sudo saslpasswd2 -c -u example.com yugiohjcj
$ sudo sasldblistusers2

$ sudo vim /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

$ sudo vim /etc/postfix/main.cf
# SASL
cyrus_sasl_config_path = /etc/postfix/sasl
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

$ sudo bash /etc/init.d/postfix restart

Here is how I configure Thunderbird:

• Edit > Account Setttings > Outgoing Server (SMTP)
• Server Name: example.com
• Port: 25
• Connection Security: STARTTLS
• Authentication Method: Normal password
• User Name: [email protected]

When the mail is sent from Thunderbird, I can read this in the Postfix logs:

postfix/smtpd[103272]: connect from 1.2.3.4.subs.proxad.net[1.2.3.4]
postfix/smtpd[103272]: 39AB821458: client=1.2.3.4.subs.proxad.net[1.2.3.4], sasl_method=PLAIN, [email protected]
postfix/cleanup[103276]: 39AB821458: message-id=<[email protected]>
opendkim[72092]: 39AB821458: DKIM-Signature field added (s=2023, d=example.com)
postfix/qmgr[102890]: 39AB821458: from=<[email protected]>, size=690, nrcpt=1 (queue active)
postfix/smtpd[103272]: disconnect from 1.2.3.4.subs.proxad.net[1.2.3.4] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
postfix/smtp[103277]: 39AB821458: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.184.26]:25, delay=0.7, delays=0.08/0.01/0.31/0.3, dsn=2.0.0, status=sent (250 2.0.0 OK  1678874625 bh21-20020a05600c3d1500b003da0d302eb6si1264054wmb.27 - gsmtp)
postfix/qmgr[102890]: 39AB821458: removed

So, the mail is received on my Postfix server then forwarded to my @gmail.com address as expected (I am using a ~/.forward file for this).

However, I see nothing about encryption.

Is my connection to my Postfix server encrypted?

If not, how can I fix that please?

Thank you.

Best regards.

Answer 1

postfix/smtpd[103272]: connect from 1.2.3.4.subs.proxad.net[1.2.3.4]
postfix/smtpd[103272]: 39AB821458: client=1.2.3.4.subs.proxad.net[1.2.3.4], sasl_method=PLAIN, [email protected]
[...]
postfix/smtpd[103272]: disconnect from 1.2.3.4.subs.proxad.net[1.2.3.4] ehlo=2 starttls=1 [...]

Here, starttls=1 confirms that TLS was in effect on the connection.

You might want to add the following settings to your Postfix main.cf configuration:

smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

This restricts authentication methods that pass unhashed passwords (LOGIN and PLAIN) to TLS-encrypted connections only; on unencrypted connections, only CRAM-MD5 and DIGEST-MD5 which transmit passwords in hashed forms will be acceptable.

Alternatively, you could set

smtpd_tls_auth_only = yes

which allows authentication only if TLS encryption is established first.

Reference: Postfix SASL Howto, SASL security options.

Answer 2

Connection Security: STARTTLS

You're fine. This says that Thunderbird must encrypt the communication with your server.

This line confirms that; see the starttls=1:

postfix/smtpd[103272]: disconnect from 1.2.3.4.subs.proxad.net[1.2.3.4] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8

However, whether or not your connection to the Google inbound SMTP server is encrypted isn't stated in your log file.