How to encrypt Postfix SMTP traffic using a public/private key pair

Home > Search > How-to
  by

Add the following to the /etc/postfix/main.cf file:

smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/pki/tls/private/mail.example.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.example.com.crt
smtpd_tls_cafile = /etc/pki/tls/mail.example.com.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/lib/postfix/
smtpd_tls_cachetls_random_source = dev:/dev/urandom
tls_random_exchange_name = /var/lib/postfix/prng_exch

 

  • smtpd_tls_security_level: Setting this to "may" or "encrypt" tells Postfix to encrypt emails using TLS.
  • smtpd_tls_auth_only: When set to "yes", plain text authentication will not occur until TLS session has been established. When set to "no", plain text authentication will occur even if the TLS session has not been estabslihed.
  • smtpd_tls_key_file: This is the location of the private key file
  • smtpd_tls_cert_file: This is the location of the public certificate file
  • smtpd_tls_cafile: This is the location of the Certificate Authority file
  • smtpd_tls_loglevel: Setting this to "1" tells Postfix to log TLS events
  • smtpd_tls_session_cache_timeout: It takes some time for the client and server to exchange keys. However, we do not want the client and server to keep a session open indefinately, so we set a timeout of 3,600 seconds.
  • smtpd_tls_session_cache_database: TBD
  • tls_random_source: TBD
  • tls_random_exchange_name: TBD
  • Further details are at http://www.postfix.org/TLS_README.html

Note: smtpd_tls_ask_ccert asks, but does not require, client computers to issue their public certificate to our Postfix email server. smtpd_tls_req_ccert requires client computers to issue their public certificate to our Postfix email server. Neither of these directives are needed, as we do not want to need client computers to issue their public certificate to use our Postfix email server. We will not use this directive.

smtp = incoming, smtpd = outgoing.

 

In the /etc/postfix/master.cf file, remove the comment from the following line to configure Postfix to listen on port 587 (SMTPs). The "s" stands for secured.

submission inet  n  -  n  -  -  smtpd

 

Restart Postfix, and ensure Postfix is active and running.

[root@server1 ~]# systemctl restart postfix
[root@server1 ~]# systemctl status postfix

 

Use Nmap to ensure port 587 is open. Nmap should have the following:

587/tcp  open  submission

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments