Configuring Postfix for TLS Encryption
To configure TLS you will need the following
- A self-signed or purchased CA certificate (MyCert.pem)
- Certificate key (MyCertKey.pem)
- The ROOT certificates from CA's you wish to trust
(CaCert.pem)
To enable TLS within Postfix, as the root user:
-
Create a new directory named
/opt/pmx/posfix/etc/certs/
-
Place your certificates within /opt/pmx/posfix/etc/certs/
ensuring they are owned by the root user
-
Edit the file /opt/pmx/postfix/etc/main.cf
-
Add the following to the end of the file:
# ------ Enable TLS -------
smtpd_use_tls = yes
smtpd_tls_key_file = /opt/pmx/postfix/etc/certs/MyCertKey.pem
smtpd_tls_cert_file = /opt/pmx/postfix/etc/certs/MyCert.pem
smtpd_tls_CAfile = /opt/pmx/postfix/etc/certs/CaCert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# ------ END TLS -------
-
Save your main.cf and restart Postfix
# /opt/pmx/posfix/etc/init.d/postfix restart
-
Check to see if TLS is enabled within Postfix
# telnet localhost 25
ehlo localhost
Postfix will advertise it's capabilities similar to the following
output:
C: [root@example.com]# telnet mail.example.com 25
S: 220 mail.example.com ESMTP Postfix (1.1.5)
C: EHLO example.com
S: 250-mail.example.com
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-VRFY
S: 250-ETRN
S: 250-STARTTLS
S: 250 8BITMIME
C: STARTTLS
S: 220 Ready to start TLS
Postfix now advertises TLS and can start a session.