SSL/TLS

ℹ️ To use SMTPS, you will need a valid TLS certificate and a private key for your server.

vSMTP support X.509 certificates and RSA/PKCS8/EC keys stored in .pem files.

TLS can be initiated right after connect on the address submissions, or with the STARTTLS mechanism.

fn on_config(config) {
  // Add root TLS settings.
  config.server.tls = #{
    preempt_cipherlist: false,
    handshake_timeout: "1000ms",
    protocol_version: ["TLSv1.2", "TLSv1.3"],
  };

  config
}

Adding tls configuration to `/etc/vsmtp/conf.d/config.vsl`

Policy

Rules can then be added to filter out unsecure transactions.

#{
  mail: [
    rule "deny unencrypted" || {
      // It is possible to customize the policy to whitelist some ip for example.
      if ctx::is_secured() {
        state::next()
      } else {
        state::deny(code(451, "5.7.3", "Must issue a STARTTLS command first\r\n"))
      }
    }
  ]
}

Adding rules to check if the transaction is secured in `/etc/vsmtp/filter.vsl`

See the ctx::is_secured reference for more details.

Certificate / SNI

You can host multiple domains on the same server. The certificate resolution of the server is based on the SNI extension.

By default, SNI is required. Meaning both these commands will produce an error.

openssl s_client -starttls smtp -crlf -connect 192.168.1.254:25
openssl s_client -crlf -connect 192.168.1.254:465

To support TLS for a virtual server, add those lines to your configuration.

fn on_domain_config(config) {
  config.tls = #{
    certificate: "/etc/vsmtp/certs/fullchain.pem",
    private_key: "/etc/vsmtp/certs/privkey.pem",
  };

  config
}

`/etc/vsmtp/domain-available/example.com/config.vsl`

You can then test the connection with the following command:

openssl s_client -starttls smtp -crlf -connect 192.168.1.254:25 -servername example.com
openssl s_client -crlf -connect 192.168.1.254:465 -servername example.com

Default domain

You can specify the certificate and the private key to use by default when no SNI is provided.

fn on_config(config) {
  // ...

  config.server.tls = #{
    // ...
    root: #{
      certificate: "/etc/vsmtp/certs/fullchain.pem",
      private_key: "/etc/vsmtp/certs/privkey.pem",
    }
  };

  config
}

Set a default domain `/etc/vsmtp/conf.d/config.vsl`

These command will now work.

openssl s_client -starttls smtp -crlf -connect 192.168.1.254:25
openssl s_client -crlf -connect 192.168.1.254:465