SSL certificate installation and configuration in postfix smtp mail server

What is SSL?

SSL is a security technology which establish encrypted connection between web browser and server.

Introduction

To establish a secure connection between smtp (postfix) mail server and an email client, you have to create and configure a SSL or TLS certificate for your server.
You need to create a SSL private key and CSR (Certificate Signing Request). Later you have to submit your CSR to CA (Certificate Authority), which will certify your ownership. The step by step instruction is given in this tutorial.

1. Create a directory 'ssl' under the 'postfix'

# mkdir /etc/postfix/ssl

2. Change the directory to ssl.

# cd /etc/postfix/ssl
3. create a SSL private key and CSR ( Certificate Signing Request )

Replace 'smtp.mymailserver.com' with your mail server name or hostname.

# openssl req -new -nodes -keyout smtp.mymailserver.com.key -out smtp.mymailserver.com.csr

The above command will create two files 'smtp.mymailserver.com.key' and 'smtp.mymailserver.com.csr' under ssl directory.

4. Create CA certificate

CA ( Certificate Authority or Certification Authority ) is a digital SSL certificate provider. In the above step when the smtp.mymailserver.com.csr file is created. Copy the content of the file and paste it into your CA account. This certificate will certify your public key ownership. It helps other users to rely on your signature.

5. Create Self signing SSL certificate

If you don't want to create ssl CA certificate, you can create a self signing certificate for your small private LAN for testing purpose. The given command will do the task.

# openssl x509 -req -days 3650 -in smtp.mymailserver.com.csr -signkey smtp.mymailserver.com.key -out smtp.mymailserver.com.crt
6. Create .pem file

Pem file is required to contain both your private key and certificate.

# openssl req -new -x509 -extensions v3_ca -keyout ca_cert.pem -out ca_cert.pem -days 3650
7. Modify main.cf file

under postfix directory, inside main.cf file edit the following lines to enable TLS and SSL.

######SSL-AUTHENTICATION##########
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks 
TLS-AUTHENTICATION#########
smtp_use_tls = yes 
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtp.mymailserver.com.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.mymailserver.com.crt
smtpd_tls_CAfile = /etc/postfix/ssl/ca_cert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
8. Reload postfix

After editing main.cf file you need to reload postfix to update the configuration.

# postfix reload.
9. Test TLS or SSL

Now test your SSL configuration with telnet.

# telnet smtp.mymailserver.com 25

you will see the following output.

Screenshot from 2016-06-27 13:30:43


This is it with the article SSL certificate installation and configuration in postfix smtp mail server

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*


shares