POSTFIX AND STARTTLS

REQUIREMENTS

Either get some cert or self-sign one, which used to be a common practice for SMTP… But Gmail, Yandex and Mail.ru finally shows some cert validation warnings to the users.

Now you also need to be able to check remove certificates hence (assuming no chroot)

$OPENSSL_HOME/bin/c_rehash /etc/openssl/certs

ENFORCING SETUP

#inbound
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_CApath = /etc/openssl/certs
smtpd_tls_cert_file = /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem
#smtpd_tls_cert_file = /etc/openssl/selfsign.cer
#smtpd_tls_key_file = /etc/openssl/selfsign.key
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_ciphers = high

#outbound
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CApath = /etc/openssl/certs
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high 

#both directions
smtp_enforce_tls = yes
smtp_tls_enforce_peername = yes
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
#default !SSLv2, !SSLv3

VALIDATING SETUP (TODO + DANE)

#inbound - checking client cert - too harsh
#smtpd_tls_req_ccert = yes
#smtpd_tls_ask_ccert = yes

#outbound - the world might be ready
smtp_tls_security_level = verify
#smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
smtp_tls_verify_cert_match = hostname

RESOURCES

Postfix TLS Support http://www.postfix.org/TLS_README.html

TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html

Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS

Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml