Mail server - secure connection, configuring Postfix

Now we've created our self-signed certificate (see the previous article) we can go ahead and configure Postfix to use it.

As with the previous Postfix configuration we need to edit the file:

sudo nano /etc/postfix/

TLS parameters

Half way down the file you will see the section headed 'TLS parameters' with the following default entries:

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

It may be easier to simply delete the existing default entries as show above.

We will be replacing them with the following entries:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/certs/mailcert.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

Take a look at what we have done - all we are doing is enabling secure connections, what connections we will accept and, lastly, we define where the self-signed certificate is located.

I don't have a pem!

If you purchased a certificate or create a self-signed one using a different technique, you may find you don't actually have a 'pem' file but instead have two files.

One will be end with 'cert', the other will end with 'key'.

If that is the case you would change the final two lines shown above to something like this:

smtpd_tls_cert_file = /etc/ssl/cert/mailcert.cert
smtpd_tls_key_file = /etc/ssl/private/mailcert.key

Of course, you would replace the path and name of the two files with your own but all you need to do is define the locations of both files.


Configuring Postfix to use our self-signed or purchased certificates allows us to have a secure connection when connecting to the mail server.

Now we can concentrate on installing courier so we have pop and imap access to the mail server.


Article Comments:

Steve commented Wed Sep 17 01:24:37 UTC 2008:

I purchased a cert from GoDaddy and have 3 files... A cert, a key, and a chain/bundle file. Do I need the chain/bundle file? I know I had to use it to setup SSL in Apache.

Dave Woodward commented Fri Sep 26 14:55:32 UTC 2008:

Steve, I've had success just taking the contents of the chain/bundle file and inserting them at the end of the cert file (its all just text anyway).

This way you can just reference the one .crt file in your configs, and it will contain the cert, and chain/bundle files all inside it.

Its important to also note that for the GoDaddy certs, the chain/bundle files are absolutely required in all situations to prevent any errors authenticating the certificate.

chovy commented Sat May 16 06:55:31 UTC 2009:

my smtp doesn't work with SSL when I test it.

Brian Armstrong commented Mon May 18 22:53:55 UTC 2009:

Yep I have to GoDaddy cert.

I followed an article (this one I think) to combine the two files as Dave Woodward mentioned above:

Now my two lines look like this for postfix: smtpdtlscert_file = /etc/ssl/certs/combined.crt smtpdtlskey_file = /etc/ssl/private/myssl.key

racy_rick commented Fri Aug 28 17:18:53 UTC 2009:

I have a godaddy cert for our domain. We utilize it for our web ssl and I want to use it for postfix too. I get these errors, even after I've included the bundle and the certs/key.

Is there anywhere I can embed the pass phrase. I have bash script that does it for me in apache.


Aug 28 12:04:50 racy postfix/smtpd[26315]: warning: cannot get private key from file /etc/ssl/cert/racycom.key Aug 28 12:04:50 racy postfix/smtpd[26315]: warning: TLS library problem: 26315:error:0906406D:PEM routines:PEMdefcallback:problems getting password:pem_lib.c:105: Aug 28 12:04:50 racy postfix/smtpd[26315]: warning: TLS library problem: 26315:error:0906A068:PEM routines:PEMdo_header:bad password read:pemlib.c:403: Aug 28 12:04:50 racy postfix/smtpd[26315]: warning: TLS library problem: 26315:error:140B0009:SSL routines:SSLCTXusePrivateKeyfile:PEM lib:ssl_rsa.c:669:

Indrid commented Sat Sep 05 00:41:07 UTC 2009:

To enable use of port 587 from Thunderbird, I had to make the edit to /etc/postfix/ described here:

Beverly G commented Wed Dec 16 08:23:36 UTC 2009:

Useful command to see certificate via command line:

openssl s_client -starttls smtp -crlf -connect SERVER:PORT

You should get certificate information as your connected to you mail serer

Dmitry commented Wed Aug 04 12:15:31 UTC 2010:

To prevent unencrypted authorization, add smtpd_tls_auth_only = yes to

dennis commented Thu Feb 28 12:11:19 UTC 2013:

I had the following error on a 10.04 LTS setup (in /var/log/mail.err) - which meant that I could not use TLS. When I removed the lines concerning TLS, it worked fine.

fatal: SASL per-process initialization failed

I had to add the following into my /etc/postfix/

smtpd_sasl_path = /var/spool/postfix/var/run/saslauthd

Solution was found here:

Great setup by the way, and still after some years a great resource for mail server setup!

Want to comment?

(not made public)


(use plain text or Markdown syntax)