Distroname and release: Debian Squeeze
Postfix with TLSRef.:http://www.postfix.org/TLS_README.html
Enabling TLS for postfix will encrypt the e-mail between the client and the TLS endpoint, which in this case will be the postfix server.
Enabling TLS for postfix will only encrypt when sending and recieving e-mails through the MTA, it will NOT encrypt login informations when checking e-mails.
For this use IMAP and, or POP3.
Though it is possible to enable TLS for both courier-imap and courier-pop3, (which I have experience with) and other others as well.
Prequirements:You must have a fully functional postfix installation server up and running, and a an optional CA. If you do not have an CA it is possible to sign this with a public CA like verisign.
I will not show how to create an postfix installation, or an CA here, please check my other guides for this.
OK, ready? Lets continue. create certificate for mailserver
#openssl req -new -key ca.key -out mail_linuxlasse_net.csrSign the certificate if possible, or get a trusted CA to do it.
sh sign.sh mail_linuxlasse_net.csrCreate a new directory, and move or copy the key file and newly created certificate.
The key file must be non password protected!
In this case it is called insecure_ca.key.
#mkdir /etc/postfix/tls #cp insecure_ca.key /etc/postfix/tls/ #mv mail_linuxlasse_net.crt /etc/postfix/tlsNow insert the following lines to /etc/postfix/main.cf
/etc/postfix/main.cf smtpd_tls_cert_file = /etc/postfix/tls/mail_linuxlasse_net.crt smtpd_tls_key_file = /etc/postfix/tls/insecure_ca.key smtpd_tls_CAfile = /etc/postfix/tls/ca.crt #inbound, use TLS if possible smtpd_tls_security_level = may #We want to have logging, for troubleshooting. smtpd_tls_loglevel = 1 #outbound, use TLS if possible smtp_tls_security_level = may smtp_tls_loglevel = 1After the changes, restart postfix.
#/etc/init.d/postfix restartWhen postfix have restarted, it is time to check if TLS is enabled.
We will look if STARTTLS is there.
We can do this with telnet.
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.linuxlasse.net ESMTP ehlo server.com 250-mail.linuxlasse.net 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSNThe test is successfull, as you can see 250-STARTTLS
Now setup your mail client software to use STARTTLS!
It is likely you will get an certificate warning, if you have signed your own certificate from your own CA. If this is the case, just ignore it, meaning create and permanent acception of the certificate, or import the root ca to the client.
Errors and fixesI have had this error, which is shown below.
postfix/smtpd: warning: TLS library problem: 14616:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1086:SSL alert number 48:If I copy the CA certificate to the store of tls files it is working as inteded. I am not sure why, but it is working.
The location could differ from your setup.
#cp ca.crt /etc/postfix/tlsAnd restart postfix
#/etc/init.d/postfix restartNote if you enable TLS, and are sending through and relay server which does not support TLS, outbound connections will ofcourse not be encryptet.