TLS configuration for postfix

From Notes_Wiki
Revision as of 12:12, 19 December 2014 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb>Postfix_server_configuration|Postfix server configuration</yambe:breadcrumb> =TLS configuration for postfix= # mkdir -p /etc/postfix/ssl # Generate self-sig...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb>Postfix_server_configuration|Postfix server configuration</yambe:breadcrumb>

TLS configuration for postfix

  1. mkdir -p /etc/postfix/ssl
  2. Generate self-signed certificate using:
    openssl req -new -x509 -days 999 -nodes -out postfix.pem -keyout postfix.pem
  3. chown postfix:postfix postfix.pem
  4. chmod 400 postfix.pem
  5. Add following lines to /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/ssl/postfix.pem
    smtpd_tls_key_file = $smtpd_tls_cert_file
    smtpd_tls_security_level = may

Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:

      smtpd_sasl_security_options = noanonymous, noplaintext
      smtpd_sasl_tls_security_options = noanonymous

is causing postfix to not work. Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.

Steps learned from http://www.postfix.org/TLS_README.html