In order to mitigate the NO STARTTLS vulnerabilities, I recently switched my local SMTP smarthosts from STARTTLS (port 587) to implicit TLS (port 465).
Here are the key configuration parameters for
Postfix (i.e. /etc/postfix/main.cf
):
relayhost = [smtp.kolabnow.com]:465
smtp_tls_wrappermode = yes
smtp_tls_security_level = secure
Note that this is for KolabNow, but the same works for GMail and Novus.
The square brackets around the hostname tell Postfix not to look up the MX name using DNS and instead to use the SMTP server name as-is.
Setting the smtp_tls_security_level
parameter
to secure
ensures that the server is using a valid TLS certificate.