What is SSL?
SSL is a security technology which establish encrypted connection between web browser and server.
To establish a secure connection between smtp (postfix) mail server and an email client, you have to create and configure a SSL or TLS certificate for your server.
You need to create a SSL private key and CSR (Certificate Signing Request). Later you have to submit your CSR to CA (Certificate Authority), which will certify your ownership. The step by step instruction is given in this tutorial.
1. Create a directory 'ssl' under the 'postfix'
# mkdir /etc/postfix/ssl
2. Change the directory to ssl.
# cd /etc/postfix/ssl
3. create a SSL private key and CSR ( Certificate Signing Request )
Replace 'smtp.mymailserver.com' with your mail server name or hostname.
# openssl req -new -nodes -keyout smtp.mymailserver.com.key -out smtp.mymailserver.com.csr
The above command will create two files 'smtp.mymailserver.com.key' and 'smtp.mymailserver.com.csr' under ssl directory.
4. Create CA certificate
CA ( Certificate Authority or Certification Authority ) is a digital SSL certificate provider. In the above step when the smtp.mymailserver.com.csr file is created. Copy the content of the file and paste it into your CA account. This certificate will certify your public key ownership. It helps other users to rely on your signature.
5. Create Self signing SSL certificate
If you don't want to create ssl CA certificate, you can create a self signing certificate for your small private LAN for testing purpose. The given command will do the task.
# openssl x509 -req -days 3650 -in smtp.mymailserver.com.csr -signkey smtp.mymailserver.com.key -out smtp.mymailserver.com.crt
6. Create .pem file
Pem file is required to contain both your private key and certificate.
# openssl req -new -x509 -extensions v3_ca -keyout ca_cert.pem -out ca_cert.pem -days 3650
7. Modify main.cf file
under postfix directory, inside main.cf file edit the following lines to enable TLS and SSL.
######SSL-AUTHENTICATION########## smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks
TLS-AUTHENTICATION######### smtp_use_tls = yes smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/smtp.mymailserver.com.key smtpd_tls_cert_file = /etc/postfix/ssl/smtp.mymailserver.com.crt smtpd_tls_CAfile = /etc/postfix/ssl/ca_cert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
8. Reload postfix
After editing main.cf file you need to reload postfix to update the configuration.
# postfix reload.
9. Test TLS or SSL
Now test your SSL configuration with telnet.
# telnet smtp.mymailserver.com 25
you will see the following output.
This is it with the article SSL certificate installation and configuration in postfix smtp mail server