Enabling TLS-only SMTP on port 465 with Postfix

Enabling TLS-only SMTP on port 465 with Postfix

This was annoying to find Googling so I hope this article helps finding the information more easily.

In the end it's very easy, just add (or uncomment)

-o smtpd_tls_wrappermode=yes

In /etc/postfix/master.cf under smtps inet .... This will run the Postfix SMTP server in the "non-standard" "wrapper" mode, requiring establishing a TLS connection instantly instead of requiring use of the STARTTLS command and being potentially vulnerable to MITM.

It is however recommended to keep using port 25 as well and allow STARTTLS there, this use of port 465 (smtps) seems to actually be standardized in a way, but can confuse older machines, I had some ancient online test break.

NB! This feature is available in Postfix 2.2 and later, if you have an older Postfix version you should really update.