How to configure Postfix for TLS / SSL and StartTLS?

About

Transport Layer Security (TLS, formerly called SSL) with Postfix

It provides:

An encrypted session protects the information that is transmitted:

TLS is based on OpenSSL

Steps

Certificate and private key

Format

In order to use TLS, the Postfix SMTP server needs a certificate and a private key.

  • Both must be in “PEM” format.
  • The private key must not be encrypted, meaning: the key must be accessible without a password.
  • If the key is stored:
    • in the same file with the certificate, this should be owned by “root” and not be readable by any other user.
    • in a separate file:
      • the private should be owned by “root” and not be readable by any other user.
      • the certificate file may be “world-readable”.

You can create them with certbot

For instance if you use OVH as your domain provider, you could ask a certificate like that:

certbot certonly \
      --dns-ovh \
      --dns-ovh-credentials /root/.secrets/certbot/ovh.ini \
      --dns-ovh-propagation-seconds 60 \
      -n \
      --agree-tos \
      -m  your_email \
      -d  your.server.name # for instace server01.example.com

Verification

The Postfix SMTP server certificate must be usable as SSL server certificate and hence pass the verify test:

# example
cd /etc/letsencrypt/live/<your.server>/
openssl verify -untrusted  chain.pem -verbose -purpose sslserver fullchain.pem
fullchain.pem: OK

To know more about this command, see Check a certificate and its intermediate certificate chain.

Configuration

smtpd_tls_cert_file = /etc/letsencrypt/live/<your.server>/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/<your.server>/privkey.pem

Trusted CA

To verify a remote SMTP client certificate, the Postfix SMTP server needs to trust the certificates of the issuing Certification Authorities.

Optional as the CA authorities are normally already installed.

Centos

You can verify that the CA are already installed in the certs directory

 ls /etc/ssl/certs/*.crt
/etc/ssl/certs/ca-bundle.crt  /etc/ssl/certs/ca-bundle.trust.crt

On Centos the package ca-certificates is responsible to update them

yum info ca-certificates
Installed Packages
Name        : ca-certificates
Arch        : noarch
Version     : 2019.2.32
Release     : 76.el7_7
Size        : 968 k
Repo        : installed
From repo   : updates
Summary     : The Mozilla CA root certificate bundle
URL         : http://www.mozilla.org/
License     : Public Domain
Description : This package contains the set of CA certificates chosen by the
            : Mozilla Foundation for use with the Internet PKI.

Configuration

If you want to specify them you can specify them (in PEM Format) via the following configuration:

  • postconf.5.html: a single file with all CA in a pem format
  • postconf.5.html: one CA per file in the directory. Don't forget to create the necessary “hash” links with:
$OPENSSL_HOME/bin/c_rehash /path/to/directory 

Configuration

Smtp Server

The smtpd_tls configuration (receiving side) for all postfix process

smtpd_tls_security_level = may

  • postconf.5.html: 1 = Log only a summary message on TLS handshake completion
smtpd_tls_loglevel = 1

  • postconf.5.html: Request that the Postfix SMTP server produces Received: message headers that include information about the protocol and cipher used
smtpd_tls_received_header = yes

Smtp Client

The smtp_tls configurations (sending side)

smtp_tls_security_level = encrypt

  • postconf.5.html: Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server.
smtp_tls_note_starttls_offer = yes

Test

Gmail

Send an email

echo "Body: This is a test mail. Hallo Charlie" | mail -s "Subject: A big test" [email protected]
  • Check that you got a grey key

Gmail Tls Security

Received: from server01.bytle.net (server01.bytle.net. [164.132.99.202])
        by mx.google.com with ESMTPS id k12si12202871wrq.512.2020.06.14.08.49.36
        for <[email protected]>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 14 Jun 2020 08:49:36 -0700 (PDT)

Connection to the SMTP server

  • A connection to the SMTP server should advertise for STARTTLS
openssl s_client -connect localhost:25 -starttls smtp
  • In the log
Jun 14 18:39:27 vps748761 postfix/smtpd[31959]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

You may or you may not be able to send an email via an Anonymous TLS connection through a port connection.

STARTTLS Command

The STARTTLS keyword in response to the HELO command advertises that the server supports STARTTLS and that the client can issue a STARTTLS command to secure the connection.

Example:

nc localhost 25
220 server01.bytle.net ESMTP Postfix

  • HELLO
EHLO server01.bytle.net
  • STARTTLS is advertised
250-server01.bytle.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

STARTTLS
  • The server responds when it is ready for the handshake.
220 Go ahead

  • The client and the servers performs a handshake.

Support

Debug

See postconf.5.html

warning: TLS library problem: 31735:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640

You cannot use telnet because it does not support TLS

Documentation / Reference





Discover More
Email - Encryption / Protection (S/MIME)

in Email Message can be encrypted using: (in transit and storage) (in transit and storage) (in transit) S/MIME is a long-standing protocol which allows encrypted and signed messages to...
Postfix - Architecture (Processes)

postfix may starts several process, generally: one to receive and relay mail (port 25) one to submit mail (port 587) Postfix services are implemented by daemon processes. These run in the background,...
Smtp Submission Port Auth Successfull
Postfix - Authentication configuration (SASL) for a connection to the SMTP server (587)

This page shows you yow to configure Postfix to enable remote connections to the Postfix SMTP server on the port 587 (submission port) with authentication. Postfix used SASL as authentication library...
What are the SMTP Ports? (25, 465, 587)

This article regroups all information and configuration around this subject
What is SMTP?

A summary of what the SMTP protocol is and how to send an email from a network connection with telnet or netcat



Share this page:
Follow us:
Task Runner