Difference between revisions of "TLS configuration for postfix"

Latest revision as of 10:43, 14 July 2022

Home > CentOS > CentOS 6.x > Postfix server configuration > TLS configuration for postfix

mkdir -p /etc/postfix/ssl

Generate self-signed certificate using:

openssl req -new -x509 -days 999 -nodes -out postfix.pem -keyout postfix.pem

chown postfix:postfix postfix.pem
chmod 400 postfix.pem

Add following lines to /etc/postfix/main.cf

smtpd_tls_cert_file = /etc/postfix/ssl/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes

where lines starting with smtp_ configure postfix to also send outgoing emails using TLS.

Add following lines after commented smtps line in /etc/postfix/master.cf

smtps   inet n   -   n   - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes

service postfix restart
Verify using "netstat -alnp | grep master" that postfix is listening on both port 25 and port 465

Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:

      smtpd_sasl_security_options = noanonymous, noplaintext
      smtpd_sasl_tls_security_options = noanonymous

is causing postfix to not work. Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.

Please also refer to CentOS 7.x Enable submission 587 port for postfix

Steps learned from http://www.postfix.org/TLS_README.html

Home > CentOS > CentOS 6.x > Postfix server configuration > TLS configuration for postfix

@@ Line 1: / Line 1: @@
-<yambe:breadcrumb>Postfix_server_configuration|Postfix server configuration</yambe:breadcrumb>
+[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Postfix server configuration]] > [[TLS configuration for postfix]]
-=TLS configuration for postfix=
 # mkdir -p /etc/postfix/ssl
@@ Line 14: / Line 13: @@
 #::      smtpd_tls_key_file = $smtpd_tls_cert_file
 #::      smtpd_tls_security_level = may
+#::      smtpd_tls_received_header = yes
+#::      smtp_tls_security_level = may
+#::      smtp_tls_note_starttls_offer = yes
 #:</pre>
+#::where lines starting with smtp_ configure postfix to also send outgoing emails using TLS.
+# Add following lines after commented smtps line in /etc/postfix/master.cf
+#:<pre>
+#::smtps   inet n   -   n   - - smtpd
+#::      -o smtpd_sasl_auth_enable=yes
+#::      -o smtpd_reject_unlisted_sender=yes
+#::      -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+#::      -o broken_sasl_auth_clients=yes
+#:</pre>
+# service postfix restart
+# Verify using "netstat -alnp | grep master" that postfix is listening on both port 25 and port 465
 Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:
 <pre>
@@ Line 21: / Line 35: @@
        smtpd_sasl_tls_security_options = noanonymous
 </pre>
-is causing postfix to not work.  Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.
+is '''causing postfix to not work.'''  Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.
+Please also refer to [[CentOS 7.x Enable submission 587 port for postfix]]
 Steps learned from http://www.postfix.org/TLS_README.html
+[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Postfix server configuration]] > [[TLS configuration for postfix]]

Anonymous

Search

Difference between revisions of "TLS configuration for postfix"

Namespaces

More

Page actions

Latest revision as of 10:43, 14 July 2022

Navigation

Navigation

Wiki tools

Wiki tools

Anonymous

Search

Difference between revisions of "TLS configuration for postfix"

Latest revision as of 10:43, 14 July 2022

Navigation

Wiki tools

Page tools