It’s time to make our SMTP transactions encrypted using TLS. TLS itself stands for Transport Layer Security. it encrypts the communication between two hosts.
As usual when building postfix RPM package, i recommended using tutorial on how to compile postfix rpm source at Simon J Mudd’s website
When you’ve done with compiling postyfix with TLS support, continue to these how to create self signed postfix tls certificates
- Certificates part
# cd /etc/postfix # mkdir ssl # cd ssl # mkdir certs crl newcerts private # echo "01" > serial # cp /dev/null index.txt # cat /etc/pki/tls/openssl.cnf | sed -e 's/\/etc\/pki\/CA/\./' | sed -e 's/\.\/demoCA/\./' > openssl.cnf # openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config openssl.cnf # openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 3650 -config openssl.cnf # openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem # openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem # cp cacert.pem /etc/postfix # grep -B 100 "END PRIVATE KEY" newreq.pem > /etc/postfix/key.pem # chmod 400 /etc/postfix/key.pem # cp newcert.pem /etc/postfix/cert.pem
smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/key.pem smtpd_tls_cert_file = /etc/postfix/cert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Create empty file named smtpd_tls_session_cache in /var/lib/postfix/
# cp /dev/null /var/lib/postfix/smtpd_tls_session_cache
Reload postfix
# postfix reload
Test with telneting server on port 25
telnet smtp.domain.net 25 Trying 202.127.97.230... Connected to smtp.domain.net. Escape character is '^]'. 220 smtp.domain.net ESMTP Postfix (2.6.5-20090828) ehlo host.domain.com 250-smtp.domain.net 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN STARTTLS 220 2.0.0 Ready to start TLS
Or alternatively test it with openssl s_client command
# openssl s_client -connect smtp.domain.net:25 -starttls smtp
CONNECTED(00000003)
--- SNIPPED ---
--- SNIPPED ---
--- SNIPPED ---
---
Certificate chain
--- SNIPPED ---
--- SNIPPED ---
--- SNIPPED ------
Server certificate
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCSUQx
FDASBgNVBAgMC0RLSSBKYWthcnRhMRAwDgYDVQQHDAdKYWthcnRhMRcwFQYDVQQK
--- SNIPPED ---
-----END CERTIFICATE-----
--- SNIPPED ---
---
No client certificate CA names sent
---
SSL handshake has read 3226 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: --- SNIPPED ---
Session-ID-ctx:
Master-Key: --- SNIPPED ---
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 88 ac 8b e5 ed 78 bf 89-dd a4 27 e4 c8 69 63 46 .....x....'..icF
0010 - e7 e9 28 2a 04 03 5e 24-3b 24 78 2c 5d f5 94 1f ..(*..^$;$x,]...
0020 - 3d ca f4 44 bf 81 4f 1b-28 f1 2f 78 eb 50 9a 5a =..D..O.(./x.P.Z
--- SNIPPED ---
Compression: 1 (zlib compression)
Start Time: 1260492174
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 DSN
quit
221 2.0.0 Bye
closed
We’re done, good luck 🙂
Thanks for this great guide. You are a postfix genius.