Distroname and release: Debian Squeeze
Postfix with TLS
Ref.:http://www.postfix.org/TLS_README.htmlEnabling TLS for postfix will encrypt the e-mail between the client and the TLS endpoint, which in this case will be the postfix server.
Enabling TLS for postfix will only encrypt when sending and recieving e-mails through the MTA, it will NOT encrypt login informations when checking e-mails.
For this use IMAP and, or POP3.
Though it is possible to enable TLS for both courier-imap and courier-pop3, (which I have experience with) and other others as well.
Prequirements:
You must have a fully functional postfix installation server up and running, and a an optional CA. If you do not have an CA it is possible to sign this with a public CA like verisign.I will not show how to create an postfix installation, or an CA here, please check my other guides for this.
OK, ready? Lets continue. create certificate for mailserver
#openssl req -new -key ca.key -out mail_linuxlasse_net.csrSign the certificate if possible, or get a trusted CA to do it.
sh sign.sh mail_linuxlasse_net.csrCreate a new directory, and move or copy the key file and newly created certificate.
The key file must be non password protected!
In this case it is called insecure_ca.key.
#mkdir /etc/postfix/tls #cp insecure_ca.key /etc/postfix/tls/ #mv mail_linuxlasse_net.crt /etc/postfix/tlsNow insert the following lines to /etc/postfix/main.cf
/etc/postfix/main.cf
smtpd_tls_cert_file = /etc/postfix/tls/mail_linuxlasse_net.crt
smtpd_tls_key_file = /etc/postfix/tls/insecure_ca.key
smtpd_tls_CAfile = /etc/postfix/tls/ca.crt
#inbound, use TLS if possible
smtpd_tls_security_level = may
#We want to have logging, for troubleshooting.
smtpd_tls_loglevel = 1
#outbound, use TLS if possible
smtp_tls_security_level = may
smtp_tls_loglevel = 1
After the changes, restart postfix.
#/etc/init.d/postfix restartWhen postfix have restarted, it is time to check if TLS is enabled.
We will look if STARTTLS is there.
We can do this with telnet.
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.linuxlasse.net ESMTP ehlo server.com 250-mail.linuxlasse.net 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSNThe test is successfull, as you can see 250-STARTTLS
Now setup your mail client software to use STARTTLS!
It is likely you will get an certificate warning, if you have signed your own certificate from your own CA. If this is the case, just ignore it, meaning create and permanent acception of the certificate, or import the root ca to the client.
Errors and fixes
I have had this error, which is shown below.postfix/smtpd[14616]: warning: TLS library problem: 14616:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1086:SSL alert number 48:If I copy the CA certificate to the store of tls files it is working as inteded. I am not sure why, but it is working.
The location could differ from your setup.
#cp ca.crt /etc/postfix/tlsAnd restart postfix
#/etc/init.d/postfix restartNote if you enable TLS, and are sending through and relay server which does not support TLS, outbound connections will ofcourse not be encryptet.
Do not trust the authors words! POC, tests and experience is key
Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.
Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.