GIT – In this tutorial you will learn about Installing SSL Certificate (Secure Server Certificate) to secure communication between SMTP server and mail client such as Outlook or Thunderbird.

You need to generate a CSR certificate for CA, to use with your Postfix . This tutorial instuctions are tested under:

  1. Redhat enterprise 5
  2. CentOS 5 Server
  3. FreeBSD 7 server

Procedure for creating a CSR on postfix MTA is just like web server. You need to use OpenSSL which is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer (TLS v1) network protocols and related cryptography standards under Linux / UNIX. To configure postfix SSL SMTP you need 3 files

  • The private key generated using step #1
  • Your .crt certificate file (it will be send by CA)
  • CA certificate (also known as

Let us see how to create certificate for Postfix smtp server called

Step # 1: Generating a CSR and private key for Postfix SMTP

Type the to create a SSL CSR for a mail server called

# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl
# openssl req -new -nodes -keyout -out

Most important is Common Name, in our example it is set to For the common name, you should enter the full mail server address of your site.

Sample output:

Generating a 1024 bit RSA private key
writing new private key to ''
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:MHA
Locality Name (eg, city) []:Pune
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NIXCRAFT LTD
Organizational Unit Name (eg, section) []:ITDEPT
Common Name (eg, YOUR name) []
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge  []:myPassword
An optional company name []:NIXCRAFT LTD

Step # 2: Submit CSR to CA

Now a CSR is generated. All you have to do is copy and paste the contents of the CSR file into the SSL certificate providers (aka CA) account. Never ever give out your private key or certificate to anyone. After verification you should receive a zip file with certificates.

Step # 3 : your SSL certificate

Unzip file and upload certificates to /etc/postfix/ssl directory.

Step # 4: Configure Postfix SMTP for SSL certificate

Open postfix smtp configuration file and append following directive:

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/
smtpd_tls_cert_file = /etc/postfix/ssl/
smtpd_tls_CAfile = /etc/postfix/ssl/caroot.crt
smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Save and close the file. Restart or reload postfix service

# postfix reload.
# /etc/init.d/postfix restart

Note I have SASL configured as follows in

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes
broken_sasl_auth_clients = yes

Test Postfix TLS (SSL)

In order to test the TLS, just telnet on port 25 (you must see STARTTLS and AUTH lines):

$ telnet 25


Connected to
Escape character is '^]'.
220 ESMTP Postfix
250-SIZE 10240000
250 DSN

And mail log file…

# tail -f /var/log/maillog

Jul 12 14:25:10 smtp postfix/smtpd[28817]: connect from unknown[]
Jul 12 14:25:11 smtp postfix/smtpd[28817]: setting up TLS connection from unknown[]
Jul 12 14:25:11 smtp postfix/smtpd[28817]: TLS connection established from unknown[]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 12 14:25:12 smtp postfix/smtpd[28817]: B3A0A9D8443: client=unknown[], sasl_method=PLAIN, [email protected]
Jul 12 14:25:13 smtp postfix/cleanup[28807]: B3A0A9D8443: message-id=<[email protected]>
Jul 12 14:25:13 smtp postfix/qmgr[28806]: B3A0A9D8443: from=, size=632, nrcpt=1 (queue active)
Jul 12 14:25:14 smtp postfix/smtpd[28817]: disconnect from unknown[]
Jul 12 14:25:14 smtp postfix/smtp[28821]: B3A0A9D8443: to=,[]:25, delay=2.1, delays=1.5/0/0.13/0.49, dsn=2.0.0, status=sent (250 2.0.0 OK 1184268314 n29si21297786elf)
Jul 12 14:25:14 smtp postfix/qmgr[28806]: B3A0A9D8443: removed

Postfix mail server create self-signed SSL certificates

Use this howto / tutorial to if you need, to create self-signed SSL certificates on Cent OS / Redhat linux (RHEL 4/5)
Goto /tmp dir

cd /tmp
mkdir config
cd config
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cat /usr/share/ssl/openssl.cnf | sed -e 's/\.\/demoCA/\./' > openssl.cnf

Create a NEW CA

openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

Cert sign request

openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem

Sign out certificate

openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem

Now copy cert

cp cacert.pem /usr/share/ssl/certs
grep -B 100 "END RSA PRIVATE KEY" newreq.pem > /usr/share/ssl/certs/key.pem
chmod 400 /usr/share/ssl/certs/key.pem
cp newcert.pem /usr/share/ssl/certs/cert.pem

Open /etc/postfix/ and append or modify config as follows:

#### SASL bits ####
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =

## The following allows anyone who is in mynetworks, or anyone who can authenticate, to send mail through this server
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes

## this is necessary for some email clients
broken_sasl_auth_clients = yes

#### TLS bits ####
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes

## Location of key, cert and CA-cert.
## These files need to be generated using openssl

smtpd_tls_key_file = /usr/share/ssl/certs/key.pem
smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem
smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
tls_smtp_use_tls = yes
ipv6_version = 1.25

Make sure you have cyrus-sasl installed

yum install cyrus-sasl
( or )
up2date cyrus-sasl dovecot

Open /etc/dovecot.conf and enable secure impa and pop3

Create user for each mail user:

saslpasswd2 -c rocky

Allow postfix to read cyrus-sasl password file

chown :postfix /etc/sasldb2

Make sure /usr/lib/sasl2/smtpd.conf looks like as follows:

pwcheck_method: auxprop

Restart postfix and cyrus:

/etc/init.d/saslauthd restart
/etc/init.d/postfix restart
/etc/init.d/dovecot restart

Run ntsysv and enable all services upon boot


Test everything is working

telnet server-ip 25
telnet server-ip 143
telnet server-ip 110
netstat -tulp

Make sure all mail ports are open from iptables as well open /etc/sysconfig/iptables:

/etc/init.d/iptables save
vi /etc/sysconfig/iptables

Add rules that allows incomming port 25,143,110

-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 143 -j ACCEPT

Make sure you make changes as per your setup.

/etc/init.d/iptables restart
Print Friendly, PDF & Email



Bài viết liên quan