Configuring Postfix for TLS Encryption

Before you begin

To configure TLS you will need the following
  1. A self-signed or purchased CA certificate (MyCert.pem)
  2. Certificate key (MyCertKey.pem)
  3. The ROOT certificates from CA's you wish to trust (CaCert.pem)

About this task

To enable TLS within Postfix, as the root user:

Follow these steps

  1. Create a new directory named /opt/pmx6/posfix/etc/certs/
  2. Place your certificates within /opt/pmx6/posfix/etc/certs/ ensuring they are owned by the root user
  3. Edit the file /opt/pmx6/postfix/etc/main.cf
  4. Add the following to the end of the file:
    
    # ------ Enable TLS -------
    smtpd_use_tls = yes
    smtpd_tls_key_file = /opt/pmx6/postfix/etc/certs/MyCertKey.pem
    smtpd_tls_cert_file = /opt/pmx6/postfix/etc/certs/MyCert.pem
    smtpd_tls_CAfile = /opt/pmx6/postfix/etc/certs/CaCert.pem
    smtpd_tls_loglevel =  3
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    # ------ END TLS -------                                        
                    
  5. Save your main.cf and restart Postfix
    Example:
    
    # /opt/pmx6/posfix/etc/init.d/postfix restart
        
  6. Check to see if TLS is enabled within Postfix
    Example:
    
    # telnet localhost 25
    ehlo localhost
                 
    Postfix will advertise it's capabilities similar to the following output:
    
    C: [root@example.com]# telnet mail.example.com 25
    S: 220 mail.example.com ESMTP Postfix (1.1.5)
    C: EHLO example.com
    S: 250-mail.example.com
    S: 250-PIPELINING
    S: 250-SIZE 10240000
    S: 250-VRFY
    S: 250-ETRN
    S: 250-STARTTLS
    S: 250 8BITMIME
    C: STARTTLS
    S: 220 Ready to start TLS
                        
    Postfix now advertises TLS and can start a session.