TLS configuration for postfix

From Notes_Wiki
Revision as of 13:03, 19 December 2014 by Saurabh (talk | contribs)

<yambe:breadcrumb>Postfix_server_configuration|Postfix server configuration</yambe:breadcrumb>

TLS configuration for postfix

  1. mkdir -p /etc/postfix/ssl
  2. Generate self-signed certificate using:
    openssl req -new -x509 -days 999 -nodes -out postfix.pem -keyout postfix.pem
  3. chown postfix:postfix postfix.pem
  4. chmod 400 postfix.pem
  5. Add following lines to /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/ssl/postfix.pem
    smtpd_tls_key_file = $smtpd_tls_cert_file
    smtpd_tls_security_level = may
  6. Add following lines after commented smtps line in /etc/postfix/master.cf
    smtps inet n - n - - smtpd
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_sender=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o broken_sasl_auth_clients=yes
  7. service postfix restart
  8. Verify using "netstat -alnp | grep master" that postfix is listening on both port 25 and port 465


Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:

      smtpd_sasl_security_options = noanonymous, noplaintext
      smtpd_sasl_tls_security_options = noanonymous

is causing postfix to not work. Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.

Steps learned from http://www.postfix.org/TLS_README.html