GreenArrow Engine
Change Log
- Historic (Pre-4.200.0) Change Log
Getting Started
- GreenArrow Concepts
- Hardware Requirements
- Supported Linux Distributions
- SSH Access
- Co-Existing With Other Software
- Firewall Configuration
- Installation Guide
- Email Concepts and Terminology
- Docker
FAQs
- Know Before You Buy
- - Administration and Configuration
  - Authentication
  - Bounce Management
  - Clustering, HA, and Containerization
  - Encryption
  - Complaint FBLs
  - Installation
  - IP Warming
  - Message Submission
  - Mail Routing and Traffic Shaping
  - Pricing, Account Relationship, and Support
  - Proxy Servers
  - Queue Management
  - Reporting, Monitoring and Logging
  - Security & Access Control
  - Software Updates
  - System Requirements
  - Throughput
- Chrome Mixed Content Compatability Guide
- GreenArrow Engine and AWS
- Common Error Messages
- Message Delivery
- Modifications and Customizations
- Pausing and Dumping Queues
- Direct Database Access
- Getting Started with Email Injection
- Creating a Drop Route
- Time Zones
- First Steps After Installing
- GreenArrow Components
- Getting Started with Event Notification
- Logging SMTP Sessions in GreenArrow
- Find Message Delivery Attempt Information
- Time Synchronization Services
- Ticket Portal Guide
- Internally Created Messages
Configuration
- Configuration File
- General Settings
- Performance Tuning
- Adding a New Domain
- Adding a New IP Address
- Adding A New Whitelabeled Cloud Domain
- IPs Authorized to Relay
- License Key
- URL Domains
- Secret Constants
- Processing Events on Dedicated Servers
- Managing GreenArrow Monitor SeedList
- Proxy Protocol
- Replace Content Domain
- Link Replacements
User Management
- Two-Factor Authentication
- Users for Email Injection
Email Authentication
- DKIM
- SPF and Sender ID
- Configuring a New From Address Domain
- Email Authentication for ESPs
Injecting Mail
- SimpleMH Injection
- Raw Injection
- - Raw Injection Headers
  - PHPMailer Raw Injection Example
- Injecting Mail with HTTP Submission API
- Local Injection Options
- Message Archive
- QMQP
- QMQP Streaming Protocol
- Speed Considerations
- Obscured Email Addresses
Delivering Mail
- VirtualMTAs
- Throttling
- - Updating Throttle Settings on the Command Line
  - Updating Throttle Settings in SQL
- Dynamic Delivery
- Retry Schedule
- Internal DNS Cache
- Recipient MX Selection
- Pausing Domains
Incoming Email
- Incoming Email Domains
- Aliased Incoming Email Domains
- Bounce Mailboxes
- Spam Complaint Mailboxes
- Email Forwarders
- SMTP AUTH and POP3 Email Users
- DNSBLs and RBLs
Bounces and Spam Complaints
- Bounce Processor Concepts
- Bounce Processor Configuration
- Spam Complaint Processor
- Feedback Loops
- - Yahoo's transition from ReturnPath
- Lite Bounce Processor
Reporting
- Send Statistics Overview Page
- Send Statistics Pages
- Send Statistics Integration
- Dynamic Delivery Statistics
- Disk Queue Summary
- Stats API
- Local Delivery Attempt Status Messages
- Remote Delivery Attempt Error Messages
- hvmail_report Command
- Delivery Attempt Log (Deprecated)
- Delivery Attempt Message Formats
- Delivery Event Processed Logfile Format
- Remote Delivery Status Log
- hvmail_generate_email_report Command
- hvmail_get_possible_spamtrap_hits Command
- Service Logs
- GreenArrow Status Command
- Remote Connections
- Disk Queue Messages
Event Notification System
- Types of Events
- Events Table Maintenance
- Event Processor
- Testing The Event Notification System
- Legacy Event Notification
GreenArrow Cluster
- GreenArrow Proxy
- GreenArrow Configuration
- Cooperative Throttling
- SMTP Connection Proxying
- Instance Drain
- Kubernetes Reference Architecture
- Sync Config
- Troubleshooting
GreenArrow Cloud
- Routes API
Network Services
- HTTP Server
- PostgreSQL
- POP3 Server
- SMTP Services
- Disabling SMTP-AUTH Username Logging
- TLS Certificate Configuration
- TLS Encryption for SMTP
- Legacy Services
- - Legacy Recursive DNS Server
Server Management and Backups
- Administering GreenArrow Without root Access
- GreenArrow Updates
- GreenArrow Downgrades
- Convert CentOS to Alma Linux
- Debian Updates
- PostgreSQL 16 Update
- Server Management
- System Administration
- Persistence Path Mode
- Managed Backups
- Unmanaged Backups
- Restoring Backups
- - Recover from Database Corruption
- Server Migrations
- Server Monitoring
- Metrics Server Integration
- fail2ban Integration
- Stopping and Starting GreenArrow Engine
- greenarrow Command
- Bounce Recovery
- - December 2020 Gmail Outages
- Disk Usage
- - Delete SimpleMH Clicks and Opens
- Troubleshooting Disk Space Issues
- Moving GreenArrow to a New Partition
- Email Address Retention
- High Availability Cluster
- - High Availability Cluster Administration
  - Self Managed High Availability Clusters
- Legacy Maintenance Commands
APIs
- Stats API
- - Send Status API
  - Disk Queue Summary API
- HTTP Submission API
- Configuration API
- Running Custom Code During Delivery Attempts
Third Party Integrations
- Amazon SES Integration
- Interspire Email Marketer Integration
- Ongage Integration
- Oracle Cloud Infrastructure Email Delivery Integration
- SendGrid Integration
- SMTP Relay Service Integration
Support Contact Info

Encryption

Table of Contents
What level of TLS encryption does your MTA software support for secure email transmission?
How does your software handle TLS negotiation and certificate management?

What level of TLS encryption does your MTA software support for secure email transmission?

TLS 1.3

For incoming email, the supported list of ciphers is those provided by your OS’s openssl package, which you can get as follows:

/usr/bin/openssl ciphers 'ALL:!PSK:!eNULL:!NULL' | sed 's/:/\n/g' | sort

For outbound email, the supported list of ciphers are listed in this Go file:

https://go.dev/src/crypto/tls/cipher_suites.go

We enable all of the ciphers listed in both CipherSuites() and InsecureCipherSuites().

How does your software handle TLS negotiation and certificate management?

For TLS for outbound SMTP deliveries:

You can control use of STARTTLS for outbound deliveries on a per-IP and/or per-domain basis with the starttls_use and starttls_require configuration directives.

Any SMTP delivery to port 465 will automatically use SMTPS, encrypting the entire connection with TLS. The port of delivery can be configured using the smtp_route directive.

Outbound SMTP deliveries do not use TLS certificates.

For TLS on inbound SMTP deliveries:

By default, GreenArrow offers STARTTLS. This can be disabled.

TLS certificates for inbound mail can also be configured as described here.

See also our documentation of server default TLS certificate.

For HTTPS services

TLS certificates for the HTTPS services can be provided in configuration files or automatically obtained through Let’s Encrypt

Clustering, HA, and Containerization

Complaint FBLs

Copyright © 2012–2026 GreenArrow Email