To use outbound opportunistic encryption in PowerMTA, simply add the following to your configuration file:
<domain *>
use-starttls yes
require-starttls no
</domain>
With this, PowerMTA will check to see if the remote mail server supports encryption. If it does, an attempt will be made to create an encrypted channel over which to send mail. If the encryption fails, or if no encryption is offered, then the mail is sent using no encryption.
To verify if the mail was sent over an encrypted channel, it is necessary to add additional fields to the CSV accounting file. This can be done with the following configuration:
<acct-file logacct.csv>
records d, b
record-fields d *, dlvTlsProtocol, dlvTlsCipher
record-fields b *, dlvTlsProtocol, dlvTlsCipher
</acct-file>
If encryption is used, the above configuration will record the protocol and cipher used to deliver the message over an encrypted channel.
Outbound Client Certificate
While the vast majority of outbound connections do not require a local certificate, there may be some B2B cases in which the remote mail server requires PowerMTA to use a given certificate for encrypting the channel between the two servers. This can be facilitated in PowerMTA with a setup similar to the following:
<domain super-secure-server.com>
smtp-client-certificate /path/to/certificate.pem password
use-starttls yes
require-starttls yes
</domain>
In the above example, any messages sent to super-secure-server.com will sent over an encrypted channel using the certificate /path/to/certificate.pem (in most cases supplied by the administrator of the remote mail server). If the encryption fails, the messages will not be sent.