2025-10-09 –, Krakow/ Business Value & Enterprise Adoption
The Postfix MTA supports email SMTP over TLS both as server (inbound) and client (outbound).
Postfix makes extensive use of the OpenSSL TLS API, out of approximately 166k lines of code, around 12k LOC are TLS-related. Postfix.
Multiple security models are available as either default or per-destination options:
- cleartext ("none"),
- opportunistic TLS ("may"),
- unauthenticated mandatory TLS ("encrypt")
- Pinned key/cert digests ("fingerprint")
- opportunistic DANE TLS ("dane")
- mandatory DANE TLS ("dane-only")
- mandatory PKIX TLS ("secure")
Advanced features include:
* Explicit initialisation with a non-default configuration file and/or application name
* Cross-process connection reuse
* Cross-process external session cache (primarily for clients)
* Ticket-based session resumption for servers, with regular session ticket encryption key rollover
* Per destination trust anchors,
* Multi-valued hostname checks,
* SNI-based key pair selection,
The DANE support in OpenSSL originated as code in Postfix, as part of which the X.509 certificate chain verification code was substantially cleaned up and extended. Other minor changes also originated in Postfix over the years.
This talk will be a deep dive into some of the code using OpenSSL in the Postfix MTA. Exploring library initialisation, connection management, session reuse, TLS policy, DANE, ... highlighting Postfix is a rich source of examples of sophsiticated use of the OpenSSL API.
Contributor to Postfix since 2001, primary maintainer of its TLS stack. Active user of OpenSSL since ~2006. Active contributor to OpenSSL since 2016, in particular author of OpenSSL DANE support with a general focus on the X.509 verification code and its use in TLS. Member of OpenSSL OMC from ~2016-2019. More recently actively contributed to the integration of ML-KEM and ML-DSA into OpenSSL 3.5. Other technical areas of expertise include SMTP email and DNS.