Dec 112009
 

It’s time to make our SMTP transactions encrypted using TLS. TLS itself stands for Transport Layer Security. it encrypts the communication between two hosts.

As usual when building postfix RPM package, i recommended using tutorial on how to compile postfix rpm source at Simon J Mudd’s website

When you’ve done with compiling postyfix with TLS support, continue to these how to create self signed postfix tls certificates

  • Certificates part
  • # cd /etc/postfix
    # mkdir ssl
    # cd ssl
    # mkdir certs crl newcerts private
    # echo "01" > serial
    # cp /dev/null index.txt
    # cat /etc/pki/tls/openssl.cnf | sed -e 's/\/etc\/pki\/CA/\./' | sed -e 's/\.\/demoCA/\./' > openssl.cnf
    
    # openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config openssl.cnf
    # openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 3650 -config openssl.cnf
    # openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
    
    # openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
    
    # cp cacert.pem /etc/postfix
    # grep -B 100 "END PRIVATE KEY" newreq.pem > /etc/postfix/key.pem
    # chmod 400 /etc/postfix/key.pem
    # cp newcert.pem /etc/postfix/cert.pem
    

  • Postfix part (in main.cf)
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Create empty file named smtpd_tls_session_cache in /var/lib/postfix/

# cp /dev/null /var/lib/postfix/smtpd_tls_session_cache

Reload postfix

# postfix reload

Test with telneting server on port 25

telnet smtp.domain.net 25
Trying 202.127.97.230...
Connected to smtp.domain.net.
Escape character is '^]'.
220 smtp.domain.net ESMTP Postfix (2.6.5-20090828)
ehlo host.domain.com
250-smtp.domain.net
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS

Or alternatively test it with openssl s_client command

# openssl s_client -connect smtp.domain.net:25 -starttls smtp
CONNECTED(00000003)
--- SNIPPED ---
--- SNIPPED ---
--- SNIPPED ---
---
Certificate chain
--- SNIPPED ---
--- SNIPPED ---
--- SNIPPED ------
Server certificate
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCSUQx
FDASBgNVBAgMC0RLSSBKYWthcnRhMRAwDgYDVQQHDAdKYWthcnRhMRcwFQYDVQQK
--- SNIPPED ---
-----END CERTIFICATE-----
--- SNIPPED ---
---
No client certificate CA names sent
---
SSL handshake has read 3226 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: --- SNIPPED ---
    Session-ID-ctx: 
    Master-Key: --- SNIPPED ---
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 88 ac 8b e5 ed 78 bf 89-dd a4 27 e4 c8 69 63 46   .....x....'..icF
    0010 - e7 e9 28 2a 04 03 5e 24-3b 24 78 2c 5d f5 94 1f   ..(*..^$;$x,]...
    0020 - 3d ca f4 44 bf 81 4f 1b-28 f1 2f 78 eb 50 9a 5a   =..D..O.(./x.P.Z
	--- SNIPPED ---
    Compression: 1 (zlib compression)
    Start Time: 1260492174
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
250 DSN
quit
221 2.0.0 Bye
closed

We’re done, good luck 🙂

  One Response to “Postfix TLS Support On Fedora 12”

Comments (1)
  1. Thanks for this great guide. You are a postfix genius.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.