Dear mailserver operators: PLEASE stop using SSLv3!

I look after a few email servers and after implementing much stricter encryption settings at the start of the year, I noticed some emails were never making it to accounts - being rejected at the negotiation stage (where the remote server sending the email agrees an encryption protocol and cipher with the local server).

I was puzzled by this. TLS is hardly new, yet these servers were only ever attempting to use SSLv3 and then failing to 'upgrade' to TLS - not even TLS1.0. Poor show.

This isn't unique either - I periodically run a script which reports the spread of protocols and ciphers of incoming email connections; here's a sample from one server for the last hour...

...The stats don't make for pretty reading:

Setting up a secure Postfix server in 2019 - what to consider?

Postfix is great, and widely used, but freshly installed it's like a newborn child. Nowadays there's a lot of work required to get it to an acceptable level to face the wild west of the Internet.

NB: This is a living document and will probably change over time as I revise my own methods for managing my servers.

Running an MTA to an 'acceptable' standard now requires lots of additional config and tuning, but it's satisfying once done. Be prepared to learn lots about DNS, TLS, certificate structure, mail filtering (miltering), regular expression and monitoring - crucial once your system is operational.

Once you've had your fill of the RFCs (, there's plenty other stuff to learn. is worth a read, and are you sure you know how to validate an email address?

For newcomers, important areas to cover are:

  • understanding quirks of different email clients, some of the odd scenarios with specific email services
  • familiarising oneself with the certificate process
  • how TLS is employed with email
  • Hands-on experience is crucial!
  • Doing dry runs with a dev system is invaluable - you must be able to make and break things without taking down customers' email 🙂

I administer shared Postfix servers for numerous clients. Some are newest releases of Postfix, and some, due to legacy requirements, are older. Nothing necessarily wrong with that, but some configuration options aren't always available.

If I was setting up a new Postfix server today, I'd go through these steps:

Continue reading "Setting up a secure Postfix server in 2019 - what to consider?"