Postfix/TLS

This article will show you how to configure SSL/TLS under Postfix with server-side certificates to securely encrypt your connections.

This guide assumes you already have a working Postfix installation.

Certificate Creation
This guide will not deal with certificate creation since that is already covered elsewhere. If you want an easy-to-use graphical program for managing self-signed certificates, you may wish to check out.

You will need to save the certificate files onto the server. There should be at least three: A key file, a certificate file, and a CA certificate file for each CA in the chain. You may choose to keep yours in a directory called.

Your certificate file should have permissions root:root 0444. The certificate file is sent to anyone who requests it. So, being world readable is acceptable since it is not private. However, your key file should have permissions root:root 0400 as it should be kept private.

Postfix does not support certificates which require a pass phrase.

Your certificate must pass OpenSSL's verify test for SSL server usage. For more information, see.

To verify your certificate passes this test, run:

Certificate Setup
Postfix requires that the certificate file also contains the certificates for all CAs in the chain. These extra certificates should be ignored by other software, so you should still be able to use the same certificate file.

For each of the CA certificates in the chain, append the CA certificate to your server certificate:

Package Setup
Postfix needs to be compiled with the USE flag. To do this, add the following to :

And recompile Postfix with:

Configuration
By default, TLS support is completely disabled in Postfix. To enable encryption when it is supported, add the following to the end of : smtpd_tls_security_level = may

For instances of Postfix that do not need to talk to public SMTP servers (eg. those running on a non-default port), you can force encryption. smtpd_tls_security_level = encrypt

Next you need to tell Postfix about your certificate. Postfix has different options for RSA and DSA key based certificates. If you don't know what type you have, you almost certainly have an RSA key based certificate.

RSA Key Certificates
For RSA key based certificates, add the following to the end of : smtpd_tls_cert_file = /etc/ssl/mycerts/certificate.pem smtpd_tls_key_file = $smtpd_tls_cert_file

If your key is a separate file, replace the value of smtpd_tls_key_file with the location of the key file. For example: smtpd_tls_key_file = /etc/ssl/mycerts/key.pem

DSA Key Certificates
For DSA key based certificates, add the following to the end of : smtpd_tls_dcert_file = /etc/postfix/certificate-dsa.pem smtpd_tls_dkey_file = $smtpd_tls_dcert_file

If your key is a separate file, replace the value of smtpd_tls_dkey_file with the location of the key file, for example: smtpd_tls_dkey_file = /etc/ssl/mycerts/key-dsa.pem

Requiring Encryption for Authenticated Users
Sending authentication (AUTH) data over an unencrypted connection poses a security risk. When TLS encryption is forced, the Postfix server will announce and accept AUTH only after the connection encryption has been activated with STARTTLS.

When encryption is optional, to maintain compatibility with non-TLS clients, the default is to accept authentication without encryption. In order to change this behavior, add the following to the end of : smtpd_tls_auth_only = yes

Always Encrypted Port (Wrapper Mode)
TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS instead of announcing STARTTLS support and waiting for remote SMTP clients to request TLS service. Some clients, namely Outlook (Express), prefer the "wrapper" mode.

To enable wrapper mode on the standard SMTPS port 465, add the following to : smtps   inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes