Configuring Postfix for TLS Encryption

Before you begin

To configure TLS you will need the following
  1. A self-signed or purchased CA certificate (MyCert.pem)
  2. Certificate key (MyCertKey.pem)
  3. The ROOT certificates from CA's you wish to trust (CaCert.pem)

About this task

To enable TLS within Postfix, as the root user:

Follow these steps

  1. Create a new directory named /opt/pmx6/posfix/etc/certs/
  2. Place your certificates within /opt/pmx6/posfix/etc/certs/ ensuring they are owned by the root user
  3. Edit the file /opt/pmx6/postfix/etc/
  4. Add the following to the end of the file:
    # ------ Enable TLS -------
    smtpd_use_tls = yes
    smtpd_tls_key_file = /opt/pmx6/postfix/etc/certs/MyCertKey.pem
    smtpd_tls_cert_file = /opt/pmx6/postfix/etc/certs/MyCert.pem
    smtpd_tls_CAfile = /opt/pmx6/postfix/etc/certs/CaCert.pem
    smtpd_tls_loglevel =  3
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    # ------ END TLS -------                                        
  5. Save your and restart Postfix
    # /opt/pmx6/posfix/etc/init.d/postfix restart
  6. Check to see if TLS is enabled within Postfix
    # telnet localhost 25
    ehlo localhost
    Postfix will advertise it's capabilities similar to the following output:
    C: []# telnet 25
    S: 220 ESMTP Postfix (1.1.5)
    C: EHLO
    S: 250-SIZE 10240000
    S: 250-VRFY
    S: 250-ETRN
    S: 250-STARTTLS
    S: 250 8BITMIME
    S: 220 Ready to start TLS
    Postfix now advertises TLS and can start a session.