Dec 112009
It’s time to make our SMTP transactions encrypted using TLS. TLS itself stands for Transport Layer Security. it encrypts the communication between two hosts.
As usual when building postfix RPM package, i recommended using tutorial on how to compile postfix rpm source at Simon J Mudd’s website
When you’ve done with compiling postyfix with TLS support, continue to these how to create self signed postfix tls certificates
- Certificates part
# cd /etc/postfix # mkdir ssl # cd ssl # mkdir certs crl newcerts private # echo "01" > serial # cp /dev/null index.txt # cat /etc/pki/tls/openssl.cnf | sed -e 's/\/etc\/pki\/CA/\./' | sed -e 's/\.\/demoCA/\./' > openssl.cnf # openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config openssl.cnf # openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 3650 -config openssl.cnf # openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem # openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem # cp cacert.pem /etc/postfix # grep -B 100 "END PRIVATE KEY" newreq.pem > /etc/postfix/key.pem # chmod 400 /etc/postfix/key.pem # cp newcert.pem /etc/postfix/cert.pem
smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/key.pem smtpd_tls_cert_file = /etc/postfix/cert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Create empty file named smtpd_tls_session_cache in /var/lib/postfix/
# cp /dev/null /var/lib/postfix/smtpd_tls_session_cache
Reload postfix
# postfix reload
Test with telneting server on port 25
telnet smtp.domain.net 25 Trying 202.127.97.230... Connected to smtp.domain.net. Escape character is '^]'. 220 smtp.domain.net ESMTP Postfix (2.6.5-20090828) ehlo host.domain.com 250-smtp.domain.net 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN STARTTLS 220 2.0.0 Ready to start TLS
Or alternatively test it with openssl s_client command
# openssl s_client -connect smtp.domain.net:25 -starttls smtp
CONNECTED(00000003)
--- SNIPPED ---
--- SNIPPED ---
--- SNIPPED ---
---
Certificate chain
--- SNIPPED ---
--- SNIPPED ---
--- SNIPPED ------
Server certificate
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCSUQx
FDASBgNVBAgMC0RLSSBKYWthcnRhMRAwDgYDVQQHDAdKYWthcnRhMRcwFQYDVQQK
--- SNIPPED ---
-----END CERTIFICATE-----
--- SNIPPED ---
---
No client certificate CA names sent
---
SSL handshake has read 3226 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: --- SNIPPED ---
Session-ID-ctx:
Master-Key: --- SNIPPED ---
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 88 ac 8b e5 ed 78 bf 89-dd a4 27 e4 c8 69 63 46 .....x....'..icF
0010 - e7 e9 28 2a 04 03 5e 24-3b 24 78 2c 5d f5 94 1f ..(*..^$;$x,]...
0020 - 3d ca f4 44 bf 81 4f 1b-28 f1 2f 78 eb 50 9a 5a =..D..O.(./x.P.Z
--- SNIPPED ---
Compression: 1 (zlib compression)
Start Time: 1260492174
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 DSN
quit
221 2.0.0 Bye
closed
We’re done, good luck 
You may also want to read these posts:
- Postfix Smtp Auth using pam_mysql On Fedora 12
- Postfix Create Blackhole For Authenticated User’s Outgoing Submission (revised)
- Nginx enabling TLS SNI support on centos 5
- Installing Self Signed smtp/imapd/pop3 Certificate on K800i Sony Ericsson
- postfix-2.8.2 postfix-2.8.3 src rpm (sqlite3 support)
- postfix-2.9.20110501 SRC RPM With sqlite3 Support
- postfix 2.8-20100213 postscreen
- self-signed wildcard SSL certificate
- Nginx SSL/HTTPS
- Postfix Bind Sender Outgoing IP, Based On GeoIP Location
One Response to “Postfix TLS Support On Fedora 12”
Comments (1)
Follow me on Twitter
Thanks for this great guide. You are a postfix genius.