Configuring Postfix for TLS Encryption

To configure TLS you will need the following
  1. A self-signed or purchased CA certificate (MyCert.pem)
  2. Certificate key (MyCertKey.pem)
  3. The ROOT certificates from CA's you wish to trust (CaCert.pem)
To enable TLS within Postfix, as the root user:
  1. Create a new directory named /opt/pmx6/posfix/etc/certs/
  2. Place your certificates within /opt/pmx6/posfix/etc/certs/ ensuring they are owned by the root user
  3. Edit the file /opt/pmx6/postfix/etc/main.cf
  4. Add the following to the end of the file:
    
    # ------ Enable TLS -------
    smtpd_use_tls = yes
    smtpd_tls_key_file = /opt/pmx6/postfix/etc/certs/MyCertKey.pem
    smtpd_tls_cert_file = /opt/pmx6/postfix/etc/certs/MyCert.pem
    smtpd_tls_CAfile = /opt/pmx6/postfix/etc/certs/CaCert.pem
    smtpd_tls_loglevel =  3
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    # ------ END TLS -------                                        
                    
  5. Save your main.cf and restart Postfix
    
    # /opt/pmx6/posfix/etc/init.d/postfix restart
        
  6. Check to see if TLS is enabled within Postfix
    
    # telnet localhost 25
    ehlo localhost
                 
    Postfix will advertise it's capabilities similar to the following output:
    
    C: [root@example.com]# telnet mail.example.com 25
    S: 220 mail.example.com ESMTP Postfix (1.1.5)
    C: EHLO example.com
    S: 250-mail.example.com
    S: 250-PIPELINING
    S: 250-SIZE 10240000
    S: 250-VRFY
    S: 250-ETRN
    S: 250-STARTTLS
    S: 250 8BITMIME
    C: STARTTLS
    S: 220 Ready to start TLS
                        
    Postfix now advertises TLS and can start a session.