Difference between revisions of "TLS configuration for postfix"
From Notes_Wiki
m |
m |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Postfix server configuration]] > [[TLS configuration for postfix]] | |||
# mkdir -p /etc/postfix/ssl | # mkdir -p /etc/postfix/ssl | ||
| Line 14: | Line 13: | ||
#:: smtpd_tls_key_file = $smtpd_tls_cert_file | #:: smtpd_tls_key_file = $smtpd_tls_cert_file | ||
#:: smtpd_tls_security_level = may | #:: smtpd_tls_security_level = may | ||
#:: smtpd_tls_received_header = yes | |||
#:: smtp_tls_security_level = may | |||
#:: smtp_tls_note_starttls_offer = yes | |||
#:</pre> | |||
#::where lines starting with smtp_ configure postfix to also send outgoing emails using TLS. | |||
# Add following lines after commented smtps line in /etc/postfix/master.cf | |||
#:<pre> | |||
#::smtps inet n - n - - smtpd | |||
#:: -o smtpd_sasl_auth_enable=yes | |||
#:: -o smtpd_reject_unlisted_sender=yes | |||
#:: -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject | |||
#:: -o broken_sasl_auth_clients=yes | |||
#:</pre> | #:</pre> | ||
# service postfix restart | # service postfix restart | ||
# Verify using "netstat -alnp | grep master" that postfix is listening on both port 25 and port 465 | |||
Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using: | Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using: | ||
<pre> | <pre> | ||
| Line 23: | Line 36: | ||
</pre> | </pre> | ||
is '''causing postfix to not work.''' Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication. | is '''causing postfix to not work.''' Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication. | ||
Please also refer to [[CentOS 7.x Enable submission 587 port for postfix]] | |||
Steps learned from http://www.postfix.org/TLS_README.html | Steps learned from http://www.postfix.org/TLS_README.html | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Postfix server configuration]] > [[TLS configuration for postfix]] | |||
Latest revision as of 10:43, 14 July 2022
Home > CentOS > CentOS 6.x > Postfix server configuration > TLS configuration for postfix
- mkdir -p /etc/postfix/ssl
- Generate self-signed certificate using:
- openssl req -new -x509 -days 999 -nodes -out postfix.pem -keyout postfix.pem
- chown postfix:postfix postfix.pem
- chmod 400 postfix.pem
- Add following lines to /etc/postfix/main.cf
- smtpd_tls_cert_file = /etc/postfix/ssl/postfix.pem
- smtpd_tls_key_file = $smtpd_tls_cert_file
- smtpd_tls_security_level = may
- smtpd_tls_received_header = yes
- smtp_tls_security_level = may
- smtp_tls_note_starttls_offer = yes
-
- where lines starting with smtp_ configure postfix to also send outgoing emails using TLS.
- Add following lines after commented smtps line in /etc/postfix/master.cf
- smtps inet n - n - - smtpd
- -o smtpd_sasl_auth_enable=yes
- -o smtpd_reject_unlisted_sender=yes
- -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
- -o broken_sasl_auth_clients=yes
- service postfix restart
- Verify using "netstat -alnp | grep master" that postfix is listening on both port 25 and port 465
Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
is causing postfix to not work. Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.
Please also refer to CentOS 7.x Enable submission 587 port for postfix
Steps learned from http://www.postfix.org/TLS_README.html
Home > CentOS > CentOS 6.x > Postfix server configuration > TLS configuration for postfix
