Vous êtes sur la page 1sur 6

Configure Postfix with TLS

1 of 6

http://wiki.lenux.org/configure-postfix-with-tls/

Linux Documentation and Tutorials


Home

Start

Tutorials

OSCam Service and Srvid Online Generator

Configure Postfix with TLS


Webmaster

July 28, 2015

Configuration
In order to use TLS, the Postfix SMTP server needs a

certificate and a private key, read Create a self-signed

Certificate for more information. Certificate und private key

Categories
Apache (5)

must be in PEM format (default OpenSSL output). If you

Cluster (10)

smtpd_tls_CAfile option with your CA certificate.

FTP (1)

have a CA certificate , you must also configure the


vi /etc/postfix/main.cf

smtpd_tls_cert_file = /etc/postfix/ssl/server-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/server-key.pem
#smtpd_tls_CAfile = /etc/postfix/ssl/CAcert.pem

TLS for incoming connections

HP Data Protector (2)


HTML5 (1)
Hyper-V (7)
Monitoring (3)

10/5/2016 11:38 AM

Configure Postfix with TLS

2 of 6

smtpd

vi /etc/postfix/main.cf

# By default, TLS is disabled in the Postfix SMTP server


# plain Postfix is visible. Explicitly switch it on with
smtpd_tls_security_level=may

http://wiki.lenux.org/configure-postfix-with-tls/

OSCam (15)
Postfix (5)
Security (4)

# Sending AUTH data over an unencrypted channel poses a


Shell (4)
# When TLS layer encryption is optional ("smtpd_tls_security_level = may"
# may however still be useful to only offer AUTH when TLS
# compatibility with non-TLS clients, the default is to
Streaming
# encryption. In order to change this behavior, set "smtpd_tls_auth_only
smtpd_tls_auth_only=yes
# Enable additional Postfix SMTP server logging of TLS activity
# level also includes the information that is logged at
#
# 0 Disable logging of TLS activity. (default)
# 1 Log only a summary message on TLS handshake completion
# 2 Also log levels during TLS negotiation.
# 3 Also log hexadecimal and ASCII dump of TLS negotiation
# 4 Also log hexadecimal and ASCII dump of complete transmission
smtpd_tls_loglevel=1

(2)

Syslog (1)

System (10)

TLS for outgoing connections


smtp

vi /etc/postfix/main.cf

# Use TLS if this is supported by the remote SMTP server


smtp_tls_security_level=may

# Enable additional Postfix SMTP client logging of TLS activity


# level also includes the information that is logged at
#
# 0 Disable logging of TLS activity. (default)
# 1 Log only a summary message on TLS handshake completion
# 2 Also log levels during TLS negotiation.
# 3 Also log hexadecimal and ASCII dump of TLS negotiation
# 4 Also log hexadecimal and ASCII dump of complete transmission
smtp_tls_loglevel=1

Postfix submission process on port


587

Additional, you can configure the postfix submission process,


it will listen on port 587, this process is for your mail clients

10/5/2016 11:38 AM

Configure Postfix with TLS

3 of 6

http://wiki.lenux.org/configure-postfix-with-tls/

with authentification for sending mails. It is recommended

that your mail client with authentification uses the submission


service on port 587 on their mail clients.
vi /etc/postfix/master.cf

submission inet n
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated

smtpd_tls_security_level=encrypt

allow only TLS connection on the submission service (port


587)

smtpd_sasl_auth_enable=yes

Enable SASL authentication in the Postfix SMTP server.


smtpd_client_restrictions=permit_sasl_authenticated,reject
reject all SMTP connections from unauthenticated clients
Dont forget to reload postfix to apply the new settings
service postfix reload

Test
Check TLS support

admin@localhost:~$ telnet docs.homelinux.org 25


Trying ...
Connected to docs.homelinux.org.
Escape character is '^]'.
220 EHLO docs.homelinux.org
250-mail.docs.homelinux.org
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS

10/5/2016 11:38 AM

Configure Postfix with TLS

4 of 6

http://wiki.lenux.org/configure-postfix-with-tls/

Check TLS restriction on submission service

admin@localhost:~$ telnet docs.homelinux.org 587


Trying ...
Connected to docs.homelinux.org.
Escape character is '^]'.
220 EHLO docs.homelinux.org
250-mail.docs.homelinux.org
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:admin@docs.homelinux.org
530 5.7.0 Must issue a STARTTLS command first

Check TLS for outgoing mails

Send a mail to a MTA with TLS support (as example

gmail.com). Now look at the mail.log file, you will find

something like this Untrusted TLS connection established

to gmail-smtp-in.l.google.com[74.125.136.27]:25: TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
bits)

Jul 10 09:25:04 localhost postfix/smtp[7673]: Untruste


d TLS connection established to gmail-smtp-in.l.google
.com[74.125.136.27]:25: TLSv1.2 with cipher ECDHE-RSAAES128-GCM-SHA256 (128/128 bits) Jul 10 09:25:06 local
host postfix/smtp[7673]: 7F7CF381EF0: to=<rcpt@gmail.c
om>, relay=gmail-smtp-in.l.google.com[74.125.136.27]:2
5, delay=1.6, delays=0.01/0.01/0.21/1.3, dsn=2.0.0, st
atus=sent (250 2.0.0 OK 1404977108 eu5si11426584wic.47
- gsmtp) Jul 10 09:25:06 localhost postfix/qmgr[7220]
: 7F7CF381EF0: removed

SMTP outgoing TLS security policy


10/5/2016 11:38 AM

Configure Postfix with TLS

5 of 6

http://wiki.lenux.org/configure-postfix-with-tls/

If you want to force TLS encryption for some remote mail


host, you can use the smtp_tls_policy_maps option and

define a hash table with recipients that you want to force the
TLS connection:

vi /etc/postfix/main.cf

# Optional lookup tables with the Postfix SMTP client TLS


smtp_tls_policy_maps = hash:/etc/postfix/tls_client_policy

Reload postfix to apply the changes:


service postfix reload

Create hash table:

vi /etc/postfix/tls_client_policy
must-be-tls.com
encrypt
must-be-tls-but-it-cant.com

encrypt

postmap /etc/postfix/tls_client_policy

All mails that goes to @must-be-tls.com or @must-be-tls-

but-it-cant.com is now forced to transfer with TLS connection.


To test it send a e-mail to @must-be-tls-but-it-cant.com (MTA
without TLS support), look at the mail.log, the result should

be status=deferred (TLS is required, but was not offered


by host mx.must-be-tls-but-it-cant.com[10.0.0.1]

Jul 10 09:34:57 localhost postfix/smtp[8408]: E8E42381


EEF: to=<test@ must-be-tls-but-it-cant.com>, relay=mx.
must-be-tls-but-it-cant.com[10.0.0.1]:25, delay=10, de
lays=0.01/0.01/10/0, dsn=4.7.4, status=deferred (TLS i
s required, but was not offered by host mx.must-be-tls
-but-it-cant.com[10.0.0.1])

SMTP incoming TLS security


policy

We can force the TLS connection for incoming sessions. For

10/5/2016 11:38 AM

Configure Postfix with TLS

6 of 6

http://wiki.lenux.org/configure-postfix-with-tls/

this we can use the smtpd_sender_restrictions option and


define hash table like above.
vi /etc/postfix/main.cf

smtpd_sender_restrictions = check_sender_access hash:<span

Reload postfix to apply settings:


service postfix reload

Create hash table:

vi /etc/postfix/tls_server_policy

sender-must-be-tls.com
reject_plaintext_session
sender-must-be-tls-but-it-cant.com
reject_plaintext_session

If you recive an e-mail from @sender-must-be-tls-but-

it-cant.com (MTA wihtout TLS support), the connection will be


rejected with 450 4.7.1 Session encryption is required,
look at the mail log

Jul 10 10:05:13 localhost postfix/smtpd[9785]: connect


from sender-must-be-tls-but-it-cant.com[10.0.0.8]
Jul 10 10:05:13 localhost postfix/smtpd[9785]: NOQUEUE
: reject: RCPT from sender-must-be-tls-but-it-cant.com
[10.0.0.8]: 450 4.7.1 Session encryption is required;
from=<sender@sender-must-be-tls-but-it-cant.com[> to=<
admin@docs.homelinux.org> proto=ESMTP helo=<sender-mus
t-be-tls-but-it-cant.com>
Jul 10 10:05:13 localhost postfix/smtpd[9785]: disconn
ect from sender-must-be-tls-but-it-cant.com[10.0.0.8]
Postfix

Create Postfix Mail Stats with

AWStats

Installing pnp4nagios with nagios


integration

10/5/2016 11:38 AM