Connections should be encrypted using the SSL/TLS protocol, even on a private network. TLS can be initiated right after connect on the address submissions, or with the STARTTLS mechanism.

fn on_config(config) {
  // Add root TLS settings.
  config.server.tls = #{
    preempt_cipherlist: false,
    handshake_timeout: "1000ms",
    protocol_version: ["TLSv1.2", "TLSv1.3"],
    certificate: "/etc/letsencrypt/live/",
    private_key: "/etc/letsencrypt/live/",


Adding tls configuration to `/etc/vsmtp/conf.d/config.vsl`

vSMTP only support certificate with the X.509 format.

Rules can then be added to filter out unsecure transactions.

  helo: [
    rule "deny unencrypted" || {
      // It is possible to customize the policy to whitelist some ip or anything.
      if ctx::is_secured() {
      } else {
        state::deny(code(451, "5.7.3", "Must issue a STARTTLS command first\r\n"))

Adding rules to check if the transaction is secured in `/etc/vsmtp/filter.vsl`

See the ctx::is_secured reference for more details.