Difference between revisions of "TLS configuration for postfix"
From Notes_Wiki
m |
m |
||
| Line 14: | Line 14: | ||
#:: smtpd_tls_key_file = $smtpd_tls_cert_file | #:: smtpd_tls_key_file = $smtpd_tls_cert_file | ||
#:: smtpd_tls_security_level = may | #:: smtpd_tls_security_level = may | ||
#:</pre> | |||
# Add following lines after commented smtps line in /etc/postfix/master.cf | |||
#:<pre> | |||
#::smtps inet n - n - - smtpd | |||
#:: -o smtpd_sasl_auth_enable=yes | |||
#:: -o smtpd_reject_unlisted_sender=yes | |||
#:: -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject | |||
#:: -o broken_sasl_auth_clients=yes | |||
#:</pre> | #:</pre> | ||
# service postfix restart | # service postfix restart | ||
Revision as of 13:02, 19 December 2014
<yambe:breadcrumb>Postfix_server_configuration|Postfix server configuration</yambe:breadcrumb>
TLS configuration for postfix
- mkdir -p /etc/postfix/ssl
- Generate self-signed certificate using:
- openssl req -new -x509 -days 999 -nodes -out postfix.pem -keyout postfix.pem
- chown postfix:postfix postfix.pem
- chmod 400 postfix.pem
- Add following lines to /etc/postfix/main.cf
- smtpd_tls_cert_file = /etc/postfix/ssl/postfix.pem
- smtpd_tls_key_file = $smtpd_tls_cert_file
- smtpd_tls_security_level = may
- Add following lines after commented smtps line in /etc/postfix/master.cf
- smtps inet n - n - - smtpd
- -o smtpd_sasl_auth_enable=yes
- -o smtpd_reject_unlisted_sender=yes
- -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
- -o broken_sasl_auth_clients=yes
- service postfix restart
Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
is causing postfix to not work. Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.
Steps learned from http://www.postfix.org/TLS_README.html
