CentOS - Mail Server - Secure Connection, Configuring Postfix

Now that we've created our self-signed certificate (see the previous article) we can go ahead and configure Postfix to use it.


As with the previous Postfix configuration, we need to edit the main.cf file:

sudo nano /etc/postfix/main.cf

TLS Parameters

Towards the bottom of this file we will add the following TLS parameters:

smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/pki/tls/private/mail.demoslice.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.demoslice.com.cert
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom



Now let's take a quick look at what we have done to get a basic grasp on what each setting accomplishes.

Smtpd tls security level

The security level setting allows us to enable the use of TLS to encrypt our SASL authentication sessions.

The use of 'may' in this setting replaces the deprecated use of 'yes' in older versions of Postfix.

smtpd_tls_security_level = may

Smtpd tls key file and Smtpd tls cert file

These options, while somewhat self-explanatory, would be used to specify the location of the self-signed certificate as well as the key file we generated in the previous article (link).

smtpd_tls_key_file = /etc/pki/tls/private/mail.demoslice.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.demoslice.com.cert

Smtpd tls loglevel

If TLS is not working properly, how are we going to know what the problem is?


We can gather further information by setting the loglevel to 1 as it will log TLS sessions to the postfix mail log.

smtpd_tls_loglevel = 1

Smtpd tls session cache

Repeatedly negotiating TLS session keys for each connection we make to the mail server can be quite tedious and cause considerable strain on our slice.

To resolve this issue, we are going to cache the sessions for 3600s or 1 hour.

smtpd_tls_session_cache_timeout = 3600s

Everything sound good so far?

Great, now we can enable these settings and then give it a quick test run.


As with any changes we make to the Postfix configuration, we need to perform a reload before they take effect and begin working as expected.

sudo /etc/init.d/postfix reload



To test that our mail server is now correctly configured to handle TLS encrypted sessions, we use the telnet command:

telnet mail.demoslice.com 25

This will open a telnet session on port 25 of our slice and we should see a similar response to the following:

Connected to mail.demoslice.com (
Escape character is '^]'.
220 mail.demoslice.com ESMTP Postfix

Alright so far so good.

Now we want to list all of the enabled features of our mail server using the EHLO command:

EHLO demoslice.com
250-SIZE 10240000
250 DSN


The STARTTLS setting lets us know that TLS is enabled on our server just like we would expect.

To leave the telnet session simply enter the quit command.

221 2.0.0 Bye
Connection closed by foreign host.


Configuring Postfix to use our self-signed or purchased certificates allows us to have a secure connection when connecting to the mail server.

Now we can concentrate on installing Dovecot so we have pop and imap access to the mail server.

Article Comments:

Jon Stephens commented Tue Feb 16 09:17:04 UTC 2010:

For CentOS5.4 you have to install cyrus-sasl-plain or you get errors like this in your /var/log/maillog:

warning: xsaslcyrusservergetmechanism_list: no applicable SASL mechanisms fatal: no SASL authentication mechanisms

The fix:

yum install cyrus-sasl-plain /etc/init.d/saslauthd restart

Ollie Treend commented Tue Aug 10 20:44:43 UTC 2010:

I've been following many of your brilliant tutorials on how to setup a CentOS server. Thank you so much for them!

I've followed this Postfix tutorial to the letter (as well as a slightly different tutorial at another website). I've created my key & cert, added it to the config, connected to the server via telnet, etc etc.

But still I have no luck! :( and I have no idea why. Everything I see on the internet suggests that STARTTLS / TLS & SMTP should 'just work' from this point forward. But I am receiving the following error in Thunderbird:

"An error occurred sending mail: The mail server sent an incorrect greeting: Cannot connect to SMTP server (, connect error 10061."

However, I can connect & send email perfectly when I don't use any encryption.

The firewall is open, and I know the server advertises STARTTLS support from the telnet connection.

Do you have any further advice to help me out? I've been working at it & Googling for hours with absolutely no joy.

Thank you


Jered commented Wed Aug 11 08:14:41 UTC 2010:

It's possible you haven't told Thunderbird that the account should use SSL. Check for a setting in the mail account in your client that enables SSL. Both the mail server and the mail client need to know to use SSL in order for it to work.

Want to comment?

(not made public)


(use plain text or Markdown syntax)