Postfix setup for SSL and TLS

To use SSL and TLS with the postfix mailer daemon you must change settings in the /etc/postfix/main.cf configuration file:

# tls config
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/demoCA/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/server-crt.pem
smtpd_tls_key_file = /etc/postfix/ssl/server-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
tls_random_prng_update_period = 3600s

You also need a SSL certificate for your mail server. Create it with the following commands:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/

# Create new local certification authority (if not already present)
/usr/share/ssl/misc/CA.pl -newca

# Create RSA certificate
openssl req -new -nodes -keyout server-key.pem -out server-req.pem -days 365
openssl ca -out server-crt.pem -infiles server-req.pem
chmod 644 server-crt.pem demoCA/cacert.pem
chmod 400 server-key.pem

Now you must remove the comment mark "#" for SMTPS and TLS manager in the /etc/postfix/master.cf configuration file:

smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
tlsmgr    unix  -       -       n       1000?   1       tlsmgr

Leave a comment