Configure Postfix With TLS and Submission

Configure Postfix with TLS
1 of 6
http://wiki.lenux.org/configure-postfix-with-tls/
Linux Documentation and Tutorials

Home
Start
Tutorials
OSCam Service and Srvid Online Generator

Webmaster
July 28, 2015
Configuration
In order to use TLS, the Postfix SMTP server needs a
certificate and a private key, read Create a self-signed
Certificate for more information. Certificate und private key
Categories
Apache (5)
must be in PEM format (default OpenSSL output). If you
Cluster (10)
smtpd_tls_CAfile option with your CA certificate.
FTP (1)
have a CA certificate , you must also configure the

vi /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/postfix/ssl/server-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/server-key.pem
#smtpd_tls_CAfile = /etc/postfix/ssl/CAcert.pem
TLS for incoming connections
HP Data Protector (2)

HTML5 (1)
Hyper-V (7)
Monitoring (3)
10/5/2016 11:38 AM
2 of 6
smtpd
# By default, TLS is disabled in the Postfix SMTP server

# plain Postfix is visible. Explicitly switch it on with
smtpd_tls_security_level=may
OSCam (15)
Postfix (5)
Security (4)
# Sending AUTH data over an unencrypted channel poses a

Shell (4)
# When TLS layer encryption is optional ("smtpd_tls_security_level = may"
# may however still be useful to only offer AUTH when TLS
# compatibility with non-TLS clients, the default is to
Streaming
# encryption. In order to change this behavior, set "smtpd_tls_auth_only
smtpd_tls_auth_only=yes
# Enable additional Postfix SMTP server logging of TLS activity
# level also includes the information that is logged at
#
# 0 Disable logging of TLS activity. (default)
# 1 Log only a summary message on TLS handshake completion
# 2 Also log levels during TLS negotiation.
# 3 Also log hexadecimal and ASCII dump of TLS negotiation
# 4 Also log hexadecimal and ASCII dump of complete transmission
smtpd_tls_loglevel=1
(2)
Syslog (1)
System (10)
TLS for outgoing connections

smtp
# Use TLS if this is supported by the remote SMTP server

smtp_tls_security_level=may
# Enable additional Postfix SMTP client logging of TLS activity

# level also includes the information that is logged at
#
# 0 Disable logging of TLS activity. (default)
# 1 Log only a summary message on TLS handshake completion
# 2 Also log levels during TLS negotiation.
# 3 Also log hexadecimal and ASCII dump of TLS negotiation
# 4 Also log hexadecimal and ASCII dump of complete transmission
smtp_tls_loglevel=1
Postfix submission process on port

587
Additional, you can configure the postfix submission process,

it will listen on port 587, this process is for your mail clients
10/5/2016 11:38 AM
3 of 6
with authentification for sending mails. It is recommended
that your mail client with authentification uses the submission

service on port 587 on their mail clients.
vi /etc/postfix/master.cf
submission inet n
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated
smtpd_tls_security_level=encrypt
allow only TLS connection on the submission service (port

587)
smtpd_sasl_auth_enable=yes
Enable SASL authentication in the Postfix SMTP server.

smtpd_client_restrictions=permit_sasl_authenticated,reject
reject all SMTP connections from unauthenticated clients
Dont forget to reload postfix to apply the new settings
service postfix reload
Test
Check TLS support
admin@localhost:~$ telnet docs.homelinux.org 25

Trying ...
Connected to docs.homelinux.org.
Escape character is '^]'.
220 EHLO docs.homelinux.org
250-mail.docs.homelinux.org
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
10/5/2016 11:38 AM
4 of 6
Check TLS restriction on submission service
admin@localhost:~$ telnet docs.homelinux.org 587

Trying ...
Connected to docs.homelinux.org.
Escape character is '^]'.
220 EHLO docs.homelinux.org
250-mail.docs.homelinux.org
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:admin@docs.homelinux.org
530 5.7.0 Must issue a STARTTLS command first
Check TLS for outgoing mails
Send a mail to a MTA with TLS support (as example
gmail.com). Now look at the mail.log file, you will find
something like this Untrusted TLS connection established
to gmail-smtp-in.l.google.com[74.125.136.27]:25: TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
bits)
Jul 10 09:25:04 localhost postfix/smtp[7673]: Untruste

d TLS connection established to gmail-smtp-in.l.google
.com[74.125.136.27]:25: TLSv1.2 with cipher ECDHE-RSAAES128-GCM-SHA256 (128/128 bits) Jul 10 09:25:06 local
host postfix/smtp[7673]: 7F7CF381EF0: to=<rcpt@gmail.c
om>, relay=gmail-smtp-in.l.google.com[74.125.136.27]:2
5, delay=1.6, delays=0.01/0.01/0.21/1.3, dsn=2.0.0, st
atus=sent (250 2.0.0 OK 1404977108 eu5si11426584wic.47
- gsmtp) Jul 10 09:25:06 localhost postfix/qmgr[7220]
: 7F7CF381EF0: removed
SMTP outgoing TLS security policy

10/5/2016 11:38 AM
5 of 6
If you want to force TLS encryption for some remote mail

host, you can use the smtp_tls_policy_maps option and
define a hash table with recipients that you want to force the
TLS connection:
# Optional lookup tables with the Postfix SMTP client TLS

smtp_tls_policy_maps = hash:/etc/postfix/tls_client_policy
Reload postfix to apply the changes:

Create hash table:
vi /etc/postfix/tls_client_policy
must-be-tls.com
encrypt
must-be-tls-but-it-cant.com
encrypt
postmap /etc/postfix/tls_client_policy
All mails that goes to @must-be-tls.com or @must-be-tls-
but-it-cant.com is now forced to transfer with TLS connection.

To test it send a e-mail to @must-be-tls-but-it-cant.com (MTA
without TLS support), look at the mail.log, the result should
be status=deferred (TLS is required, but was not offered

by host mx.must-be-tls-but-it-cant.com[10.0.0.1]
Jul 10 09:34:57 localhost postfix/smtp[8408]: E8E42381

EEF: to=<test@ must-be-tls-but-it-cant.com>, relay=mx.
must-be-tls-but-it-cant.com[10.0.0.1]:25, delay=10, de
lays=0.01/0.01/10/0, dsn=4.7.4, status=deferred (TLS i
s required, but was not offered by host mx.must-be-tls
-but-it-cant.com[10.0.0.1])
SMTP incoming TLS security

policy
We can force the TLS connection for incoming sessions. For
10/5/2016 11:38 AM
6 of 6
this we can use the smtpd_sender_restrictions option and

define hash table like above.
smtpd_sender_restrictions = check_sender_access hash:<span
Reload postfix to apply settings:

Create hash table:
vi /etc/postfix/tls_server_policy
sender-must-be-tls.com
reject_plaintext_session
sender-must-be-tls-but-it-cant.com
reject_plaintext_session
If you recive an e-mail from @sender-must-be-tls-but-
it-cant.com (MTA wihtout TLS support), the connection will be

rejected with 450 4.7.1 Session encryption is required,
look at the mail log
Jul 10 10:05:13 localhost postfix/smtpd[9785]: connect

from sender-must-be-tls-but-it-cant.com[10.0.0.8]
Jul 10 10:05:13 localhost postfix/smtpd[9785]: NOQUEUE
: reject: RCPT from sender-must-be-tls-but-it-cant.com
[10.0.0.8]: 450 4.7.1 Session encryption is required;
from=<sender@sender-must-be-tls-but-it-cant.com[> to=<
admin@docs.homelinux.org> proto=ESMTP helo=<sender-mus
t-be-tls-but-it-cant.com>
Jul 10 10:05:13 localhost postfix/smtpd[9785]: disconn
ect from sender-must-be-tls-but-it-cant.com[10.0.0.8]
Postfix
Create Postfix Mail Stats with
AWStats
Installing pnp4nagios with nagios

integration
10/5/2016 11:38 AM

Configure Postfix With TLS and Submission

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configure Postfix With TLS and Submission

Uploaded by

Copyright:

Available Formats

Configure Postfix with TLS

Linux Documentation and Tutorials

OSCam Service and Srvid Online Generator