CipherMail uses Postfix (MTA) for sending and receiving email. The default client TLS policy will connect to external SMTP servers via TLS if the other SMTP server supports TLS. This is knows as opportunistic TLS. With opportunistic TLS, a TLS connection will be setup even if the certificate of the other SMTP server is not trusted. Using TLS, even if the connection is not trusted, is better than not using TLS at all.


The main difference between TLS and S/MIME or PGP is that TLS only encrypts the communication channel and not the email itself. With TLS, if the email is stored on a mail server, it will be stored in plain text. With full message encryption like S/MIME or PGP, the email itself will be encrypted. However, S/MIME or PGP do not encrypt the communication channel. The meta information, like sender and recipients will therefore not be encrypted. It’s therefore advised to combine S/MIME or PGP with TLS.

Connecting to an SMTP server without TLS or without validating the certificate, can result in a “man in the middle” attack. If a connection to an external SMTP server should only be setup if the connection is trusted, an SMTP TLS policy for that domain should be configured.

To create a TLS policy for a domain, use the following procedure:

  1. Login to CipherMail admin GUI

  2. Open ” MTA lookup tables” page (Admin ‣ MTA ‣ Lookup tables)

  3. Click Add lookup table to open the “Add MTA lookup table” page

  4. Set “Map Type” to “hash”

  5. Set “Name” to “tls-policy”

  6. For every external domain for which a TLS policy should be configured, add a TLS policy line similar to: verify

    See below for an explanation of policy lines

  7. Click Add to add the new lookup table

  8. Open “MTA config file” page (Admin ‣ MTA ‣ Config, then click MTA config file)

  9. Add the following lines to the end of postfix config file:

    smtp_tls_policy_maps = hash:${maps_d_dir}/

  10. Click Apply

Policy line

A TLS policy line configures how a TLS connection to a specific domain will be validated. A policy line has the following structure:


Where DOMAIN is the domain name of the external SMTP server and POLICY is the TLS policy to use.


The gateway uses Postfix for the SMTP server and client. For all details and more extensive documentation of the TLS policy used by Postfix, see the Postfix documentation


The domain is the fully qualified domain name of external mail domain. The policy will be used if an email is sent to that domain irrespective of the hostname of the MX records. If the domain is surrounded by [], the policy will only be used if a connection is established to a server with that hostname.


Suppose the TLS policy is the following: verify
[] verify

And suppose the MX record for is: IN MX 10

And the following transport rule was added:  smtp:[]

If an email is sent to, the email will be delivered to only if the TLS certificate used by is trusted and has the correct domain domain name.

If an email is sent to, the mail will be delivered to the SMTP server (because there was a transport rule). Because the TLS policy line for is surrounded by [], the explicit TLS policy for will be used. Because of the additional match rule, the TLS connection will only be established if the TLS certificate was issued to