Tran Nghi's Site  - Make notes and share experience


This post is also available in: English

config postfix/dovecot using tls/ssl – force encrypt

ProtocolUsagePlain text/encrypted sessionEncrypted session only
POP3Incoming mail110995
IMAPIncoming mail143993
SMTPOutgoing mail25465
SubmissionOutgoing mail587


Disable IMAP protocol and force IMAPS

Older versions of dovecot had an array in the file: /etc/dovecot/dovecot.conf

If you find an entry called protocols make sure to uncomment it and remove the imap from it and add imaps. I would recommend that you don’t use pop3 or pop3s anymore!
However, in newer versions there is just an include specified by the entry

!include_try /usr/share/dovecot/protocols.d/*.protocol

(If you want to disable pop3 and pop3s make sure to delete /usr/share/dovecot/protocols.d/pop3d.protocol ;))

Okay, we could just ignore some warnings and add an entry like Dovecot did it before and add our own protocols array. This will result in something like this

Jul 17 22:01:22 dustplanet dovecot: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:104: ‘imaps’ protocol can no longer be specified (use protocols=imap). to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } }

Now we get a hint! Then below will show how I get it to work…

## Using below command, or edit in /etc/postfix/
postconf -e smtpd_tls_security_level=encrypt
postconf -e smtp_tls_security_level=encrypt

[email protected]:~# vi /etc/postfix/
## TLS settings
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/ssl/private/
smtpd_tls_cert_file = /etc/ssl/certs/
## Something else right here...

## Then, make sure that you have this
smtpd_tls_security_level =  encrypt

## And this
smtp_tls_security_level = encrypt

## And something like this
smtp_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache 

[email protected]:~# vi /etc/postfix/
## Make sure that you have these un-commented. the first line has "y" for chroot
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

[email protected]:~# postfix reload
postfix: Postfix is running with backwards-compatible default settings
postfix: See for details
postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
postfix/postfix-script: refreshing the Postfix mail system

[email protected]:~# vi /etc/dovecot/dovecot.conf
## SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
## PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
## dropping root privileges, so keep the key file unreadable by anyone but
## root. Included doc/ can be used to easily generate self-signed
## certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/certs/
ssl_key = </etc/ssl/private/

[email protected]:~# vi /etc/dovecot/conf.d/10-master.conf
## Change the port of the inet_listener imap to 0
service imap-login {
  inet_listener imap {
    port = 0 # port = 143, was adjusted by Nghia Le
  inet_listener imaps {
    #port = 993
    #ssl = yes
## And this
service pop3-login {
  inet_listener pop3 {
    port = 0 #port = 110, was adjusted by Nghia Le
  inet_listener pop3s {
    #port = 995
    #ssl = yes

[email protected]:~# vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes # adjusted by Nghia Le


Amavis and TLS
You might use amavisd-new as a spam and virus filter.
Then it can occur that some of these messages show up in your mail.log and the mails are not send.

Jul 18 01:05:11 infotechviet amavis[18922]: (18922-01) discarding unprocessed reply: 221 2.0.0 Bye
Jul 18 01:05:11 infotechviet amavis[18922]: (18922-01) (!)mail_via_smtp: error during QUIT: errno=
Jul 18 01:05:11 infotechviet amavis[18922]: (18922-01) (!)FWD from <[email protected]> -> <[email protected]>,BODY=7BIT 451 4.5.0 From MTA(smtp:[]:10025) during fwd-rundown-1 (Negative SMTP response to RSET: 530 5.7.0 Must issue a STARTTLS command first at (eval 134) line 1037.): id=18922-01
Jul 18 01:05:12 infotechviet amavis[18922]: (18922-01) Blocked MTA-BLOCKED {RejectedOpenRelay}, []:51262 <[email protected]> -> <[email protected]>, Queue-ID: A9334788D9, Message-ID: <[email protected]>, mail_id: kMVr0ucODUYs, Hits: 0.108, size: 691, 2165 ms
Jul 18 01:03:17 dustplanet postfix/smtp[18739]: 3AA33788B0: to=<[email protected]>, relay=[]:10024, delay=0.29, delays=0.27/0.01/0.01/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host[])</[email protected]></[email protected]></[email protected]></[email protected]></[email protected]>

If so, you need to disable TLS for amavis to make sure mails can be send.

In /etc/postfix/ add the following line to amavis service type

-o smtp_tls_security_level=none

and to the following

-o smtpd_tls_security_level=none

Other reference: