3.3. Postfix TLS configuration

To enable TLS (Transport Layer Security) for incoming and outgoing mail, you need a SSL certificate, preferably one provided by a digital CA (Certification Authority) like Comodo, Verisign, DigiCA, etc. You should put the certificate, it's key and the CA certificate bundle (a list of trusted root certificates and sub-CAs) into a directory accessible only by root, /etc/ssl in this example.

These are the required files and their meaning:
  • /etc/ssl/server.crt : server's certificate, it's common name should be identical to FQDN (fully qualified domain name) of the server;
  • /etc/ssl/server.key : server certificate's key, usually it is created by the user when requesting certificate from the CA, otherwise it should be provided by the CA. I keep an unencrypted form of the key, to avoid startup problems.
  • /etc/ssl/ca-bundle.crt : a file containing known and trusted certificates, it is needed by OpenSSL routines to validate your server's certificate and optionally for e-mail client certificate validation.

After placing the required files in place, postfix configuration must be adjusted to secure e-mails arriving to your server, from clients or from other servers:

Postfix main.cf SSL/TLS configuration

smtpd_tls_cert_file = /etc/ssl/server.crt
smtpd_tls_key_file = /etc/ssl/server.key
smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt
# smtpd_tls_loglevel = 0-5, 0 = disable
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache

You will probably want to enable SSL/TLS for the mail leaving your server, and you need to change few parameters referring to postfix SMTP client part:

Postfix main.cf SSL/TLS configuration, client side

smtp_tls_loglevel = 1
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_scache

Up: Postfix installation and configuration
Prev: Dovecot installation and configuration
Next: Greylisting with postgrey