This tutorial based on CentOS 6.4 Linux
Asymmetric encryption uses key pair public and private. With asymmetric encryption we use digital certificates to discover other people public keys. Certificate stores information like Organization name , users email address , department and so on. Before encrypted communication starts one of the party’s sends public certificate to other party from where public key can be extracted.
In this tutorial we will look at securing Postfix SMTP communications with ssl Certificates. Using TLS encryption ensures that messages transferred over SMTP protocol are secure in transit and can not be read by third party. In some cases when dealing for example with MTA used by the some banks you must implement TLS on your mail servers. Opportunistic TLS encryption for all inbound mail messaged may also be a requirement.
Implementing TLS encryption with postfix on CentOS 6 is fairly strait forward.
We must make sure openssl is installed.
If not execute:
yum install openssl
Create CSR request and private key by running the following
mkdir /etc/postfix/sslcerts cd /etc/postfix/sslcerts openssl req -new -nodes -keyout testdomain.key -out testdomainmail.csr
fill out the requested information.
submit csr to ca
The process of submitting CSR to CA will depend on who you choose to deal with. In most cases the process is trivial and boils down to copy paste csr request to CA website.
Install certificates to created directories
You will get certificated back most likely in the email. Download them to your Linux box that is running postfix. Place them in the following directory
Edit main.cf file and append the following
append text below
smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/testdomain.key smtpd_tls_cert_file = /etc/postfix/ssl/testdomainmail.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
You can test to make sure TLS is enabled by running the following command
telnet mailserver 25
as long as you see
TLS is enabled on your postfix server.