TLS configuration for postfix
From Notes_Wiki
<yambe:breadcrumb>Postfix_server_configuration|Postfix server configuration</yambe:breadcrumb>
TLS configuration for postfix
- mkdir -p /etc/postfix/ssl
- Generate self-signed certificate using:
- openssl req -new -x509 -days 999 -nodes -out postfix.pem -keyout postfix.pem
- chown postfix:postfix postfix.pem
- chmod 400 postfix.pem
- Add following lines to /etc/postfix/main.cf
- smtpd_tls_cert_file = /etc/postfix/ssl/postfix.pem
- smtpd_tls_key_file = $smtpd_tls_cert_file
- smtpd_tls_security_level = may
- Add following lines after commented smtps line in /etc/postfix/master.cf
- smtps inet n - n - - smtpd
- -o smtpd_sasl_auth_enable=yes
- -o smtpd_reject_unlisted_sender=yes
- -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
- -o broken_sasl_auth_clients=yes
- service postfix restart
Note that if smtp auth is enabled, then disabling plaintext auth over nonencrypted channels using:
smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
is causing postfix to not work. Hence we depend on user to prefer TLS over unecrypted channel for plaintext authentication.
Steps learned from http://www.postfix.org/TLS_README.html