Why Postfix v2.2 which shipped with Plesk has TLS enforced on submission, however Postfix v2.3 has not TLS as an obligatory option?
This behavioral difference between Postfix v2.2 and Postfix v2.3 is caused by an internal redesign of Postfix itself.
Plesk does not specifically set TLS enforcement in Postfix. TLS use is enforced by default in Postfix v2.2, and in Postfix v2.3 it is managed by a separate parameter,
At the encrypted TLS security level, messages are sent only over TLS-encrypted sessions. The SMTP transaction is aborted unless the STARTTLS ESMTP feature is supported by the remote SMTP server. If no suitable servers are found, the message will be deferred. With Postfix 2.3 and later versions, mandatory TLS encryption can be configured by setting
smtp_tls_security_level to encrypted mode." Even though TLS encryption is always used, mail delivery continues even if the server certificate is not trusted or bears the wrong name.
At this security level and higher levels, the
smtp_tls_mandatory_ciphers configuration parameters determine the list of sufficiently secure SSL protocol versions and the minimum cipher strength. If the protocol or cipher requirements are not met, the mail transaction is aborted. The documentation for these parameters includes useful inter-operability and security guidelines.
With Postfix 2.2 and earlier versions, or when
smtp_tls_security_level is set to its default (backwards compatible) empty value, the appropriate configuration settings are
smtp_enforce_tls = yes and
smtp_tls_enforce_peername = no. For LMTP, use the corresponding
Despite the potential for eliminating passive eavesdropping attacks, mandatory TLS encryption is not viable as a default security level for mail delivery to the public Internet. Most MX hosts do not support TLS at all, and some of those that do have broken implementations. On a host that delivers mail to the Internet, you should not configure mandatory TLS encryption as the default security level.
This is possible to enable mandatory TLS encryption only for specific destinations. With Postfix 2.3 and later versions, in the TLS policy table, specify the
encrypt security level. With the obsolete per-site table, specify the
MUST_NOPEERMATCH keyword. While the obsolete approach still works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3 and later versions should use the new TLS policy settings.
NOTE: The configuration parameter for setting up the TLS security level for submission service should be
smtpd_tls_security_level since it configures the SMTP server (which accepts connections), while the parameter
smtp_tls_security_level works for the Postfix SMTP client (e.g., to connect to remote hosts).
Please see these documentation references:
submission service is configured to accepts connections,
smtpd_tls_security_level should be used.
KB #111283 - Plesk for Linux services logs and configuration files.