Using TLS Encription with Postfix CentOS 6

This tutorial based on CentOS 6.4 Linux
Asymmetric encryption uses key pair public and private. With asymmetric encryption we use digital certificates to discover other people public keys. Certificate stores information like Organization name , users email address , department and so on. Before encrypted communication starts one of the party’s sends public certificate to other party from where public key can be extracted.

In this tutorial we will look at securing Postfix SMTP communications with ssl Certificates. Using TLS encryption ensures that messages transferred over SMTP protocol are secure in transit and can not be read by third party. In some cases when dealing for example with MTA used by the some banks you must implement TLS on your mail servers. Opportunistic TLS encryption for all inbound mail messaged may also be a requirement.

Implementing TLS encryption with postfix on CentOS 6 is fairly strait forward.

We must make sure openssl is installed.

If not execute:

yum install openssl

Create CSR request and private key by running the following

mkdir /etc/postfix/sslcerts
cd /etc/postfix/sslcerts
openssl req -new -nodes -keyout testdomain.key -out testdomainmail.csr

fill out the requested information.

submit csr to ca

The process of submitting CSR to CA will depend on who you choose to deal with. In most cases the process is trivial and boils down to copy paste csr request to CA website.

Install certificates to created directories

You will get certificated back most likely in the email. Download them to your Linux box that is running postfix. Place them in the following directory

/etc/postfix/ssl/

Configure postfix

Edit main.cf file and append the following

vi /etc/postfix/main.cf

append text below

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/testdomain.key
smtpd_tls_cert_file = /etc/postfix/ssl/testdomainmail.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

 

You can test to make sure TLS is enabled by running the following command

telnet mailserver 25

as long as you see

250 STARTTLS

TLS is enabled on your postfix server.