Difference between revisions of "TLS configuration for postfix"

From Notes_Wiki
(Created page with "<yambe:breadcrumb>Postfix_server_configuration|Postfix server configuration</yambe:breadcrumb> =TLS configuration for postfix= # mkdir -p /etc/postfix/ssl # Generate self-sig...")
 
m
Line 15: Line 15:
#::      smtpd_tls_security_level = may
#::      smtpd_tls_security_level = may
#:</pre>
#:</pre>
# service postfix restart
        
        
Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:
Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:
Line 21: Line 22:
       smtpd_sasl_tls_security_options = noanonymous
       smtpd_sasl_tls_security_options = noanonymous
</pre>
</pre>
is causing postfix to not work.  Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.
is '''causing postfix to not work.''' Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.


Steps learned from http://www.postfix.org/TLS_README.html
Steps learned from http://www.postfix.org/TLS_README.html

Revision as of 12:17, 19 December 2014

<yambe:breadcrumb>Postfix_server_configuration|Postfix server configuration</yambe:breadcrumb>

TLS configuration for postfix

  1. mkdir -p /etc/postfix/ssl
  2. Generate self-signed certificate using:
    openssl req -new -x509 -days 999 -nodes -out postfix.pem -keyout postfix.pem
  3. chown postfix:postfix postfix.pem
  4. chmod 400 postfix.pem
  5. Add following lines to /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/ssl/postfix.pem
    smtpd_tls_key_file = $smtpd_tls_cert_file
    smtpd_tls_security_level = may
  6. service postfix restart

Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:

      smtpd_sasl_security_options = noanonymous, noplaintext
      smtpd_sasl_tls_security_options = noanonymous

is causing postfix to not work. Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.

Steps learned from http://www.postfix.org/TLS_README.html