Difference between revisions of "TLS configuration for postfix"

From Notes_Wiki
m
m
Line 14: Line 14:
#::      smtpd_tls_key_file = $smtpd_tls_cert_file
#::      smtpd_tls_key_file = $smtpd_tls_cert_file
#::      smtpd_tls_security_level = may
#::      smtpd_tls_security_level = may
#::      smtpd_tls_received_header = yes
#::      smtp_tls_security_level = may
#::      smtp_tls_note_starttls_offer = yes
#:</pre>
#:</pre>
#::where lines starting with smtp_ configure postfix to also send outgoing emails using TLS.
# Add following lines after commented smtps line in /etc/postfix/master.cf
# Add following lines after commented smtps line in /etc/postfix/master.cf
#:<pre>
#:<pre>

Revision as of 18:23, 17 August 2018

<yambe:breadcrumb>Postfix_server_configuration|Postfix server configuration</yambe:breadcrumb>

TLS configuration for postfix

  1. mkdir -p /etc/postfix/ssl
  2. Generate self-signed certificate using:
    openssl req -new -x509 -days 999 -nodes -out postfix.pem -keyout postfix.pem
  3. chown postfix:postfix postfix.pem
  4. chmod 400 postfix.pem
  5. Add following lines to /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/ssl/postfix.pem
    smtpd_tls_key_file = $smtpd_tls_cert_file
    smtpd_tls_security_level = may
    smtpd_tls_received_header = yes
    smtp_tls_security_level = may
    smtp_tls_note_starttls_offer = yes
    where lines starting with smtp_ configure postfix to also send outgoing emails using TLS.
  6. Add following lines after commented smtps line in /etc/postfix/master.cf
    smtps inet n - n - - smtpd
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_sender=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o broken_sasl_auth_clients=yes
  7. service postfix restart
  8. Verify using "netstat -alnp | grep master" that postfix is listening on both port 25 and port 465


Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:

      smtpd_sasl_security_options = noanonymous, noplaintext
      smtpd_sasl_tls_security_options = noanonymous

is causing postfix to not work. Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.


Please also refer to CentOS 7.x Enable submission 587 port for postfix


Steps learned from http://www.postfix.org/TLS_README.html