Now that we've created our self-signed certificate (see the previous article) we can go ahead and configure Postfix to use it.
As with the previous Postfix configuration, we need to edit the main.cf file:
sudo nano /etc/postfix/main.cf
Towards the bottom of this file we will add the following TLS parameters:
smtpd_tls_security_level = may smtpd_tls_key_file = /etc/pki/tls/private/mail.demoslice.com.key smtpd_tls_cert_file = /etc/pki/tls/certs/mail.demoslice.com.cert smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache tls_random_source = dev:/dev/urandom
Now let's take a quick look at what we have done to get a basic grasp on what each setting accomplishes.
Smtpd tls security level
The security level setting allows us to enable the use of TLS to encrypt our SASL authentication sessions.
The use of 'may' in this setting replaces the deprecated use of 'yes' in older versions of Postfix.
smtpd_tls_security_level = may
Smtpd tls key file and Smtpd tls cert file
These options, while somewhat self-explanatory, would be used to specify the location of the self-signed certificate as well as the key file we generated in the previous article (link).
smtpd_tls_key_file = /etc/pki/tls/private/mail.demoslice.com.key smtpd_tls_cert_file = /etc/pki/tls/certs/mail.demoslice.com.cert
Smtpd tls loglevel
If TLS is not working properly, how are we going to know what the problem is?
We can gather further information by setting the loglevel to 1 as it will log TLS sessions to the postfix mail log.
smtpd_tls_loglevel = 1
Smtpd tls session cache
Repeatedly negotiating TLS session keys for each connection we make to the mail server can be quite tedious and cause considerable strain on our slice.
To resolve this issue, we are going to cache the sessions for 3600s or 1 hour.
smtpd_tls_session_cache_timeout = 3600s
Everything sound good so far?
Great, now we can enable these settings and then give it a quick test run.
As with any changes we make to the Postfix configuration, we need to perform a reload before they take effect and begin working as expected.
sudo /etc/init.d/postfix reload
To test that our mail server is now correctly configured to handle TLS encrypted sessions, we use the telnet command:
telnet mail.demoslice.com 25
This will open a telnet session on port 25 of our slice and we should see a similar response to the following:
Trying 127.0.0.1... Connected to mail.demoslice.com (127.0.0.1). Escape character is '^]'. 220 mail.demoslice.com ESMTP Postfix
Alright so far so good.
Now we want to list all of the enabled features of our mail server using the EHLO command:
EHLO demoslice.com 250-mail.demoslice.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
The STARTTLS setting lets us know that TLS is enabled on our server just like we would expect.
To leave the telnet session simply enter the quit command.
quit 221 2.0.0 Bye Connection closed by foreign host.
Configuring Postfix to use our self-signed or purchased certificates allows us to have a secure connection when connecting to the mail server.
Now we can concentrate on installing Dovecot so we have pop and imap access to the mail server.