POSTFIX AND STARTTLS

REQUIREMENTS

Either get some cert or self-sign one, which used to be a common practice for SMTP… But Gmail, Yandex and Mail.ru finally shows some cert validation warnings to the users.

Now you also need to be able to check remove certificates hence (assuming no chroot)

$OPENSSL_HOME/bin/c_rehash /etc/ssl/certs

Or just get a clean bundle from curl/mozilla

#cd /etc/openssl/
cd /etc/ssl/
wget https://curl.haxx.se/ca/cacert.pem
wget https://curl.haxx.se/ca/cacert.pem.sha256
shasum -a 256 cacert.pem
cat cacert.pem.sha256

as for the 2020-01-01 set you should see

adf770dfd574a0d6026bfaa270cb6879b063957177a991d453ff1d302c02081f  cacert.pem

STARTTLS CERTS

tls_append_default_CA = no

#smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = no
smtpd_tls_CAfile = /etc/ssl/cacert.pem
smtpd_tls_cert_file = /etc/dehydrated/certs/slackmx.nethence.com/fullchain.pem
smtpd_tls_key_file = /etc/dehydrated/certs/slackmx.nethence.com/privkey.pem

#smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = no
smtp_tls_CAfile = /etc/ssl/cacert.pem

ENFORCE STARTTLS INBOUND

#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
#smtpd_tls_security_level = encrypt
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
#!TLSv1.1

ENFORCE STARTTLS OUTBOUND

#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
smtp_tls_security_level = may
#smtp_tls_security_level = encrypt
smtp_tls_ciphers = medium
smtp_tls_mandatory_ciphers = medium
#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
#!TLSv1.1

VERIFY CERTIFICATE INBOUND

#smtpd_tls_CApath = /etc/ssl/certs
#smtpd_tls_req_ccert = yes
#smtpd_tls_ask_ccert = yes

VERIFY CERTIFICATE OUTBOUND

#the default and is valid in both directions
smtp_tls_enforce_peername = yes

#smtp_tls_security_level = verify
#smtp_tls_security_level = secure
#smtp_tls_verify_cert_match = hostname (default)
#smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop

#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

Additional notes

this became obsolete by smtp_tls_security_level since v2.3

smtp_use_tls = yes

this became obsolete by smtpd_tls_security_level since v2.3

smtpd_use_tls = yes

this became obsolete by smtp_tls_security_level since v2.3

smtp_enforce_tls = yes

this became obsolete by smtpd_tls_security_level since v2.3

smtpd_enforce_tls = yes

RESOURCES

Postfix TLS Support http://www.postfix.org/TLS_README.html

TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html

Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS

Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error


HOME | GUIDES | BENCHMARKS | html