Dec 112009
It’s time to make our SMTP transactions encrypted using TLS. TLS itself stands for Transport Layer Security. it encrypts the communication between two hosts.
As usual when building postfix RPM package, i recommended using tutorial on how to compile postfix rpm source at Simon J Mudd’s website
When you’ve done with compiling postyfix with TLS support, continue to these how to create self signed postfix tls certificates
- Certificates part
# cd /etc/postfix # mkdir ssl # cd ssl # mkdir certs crl newcerts private # echo "01" > serial # cp /dev/null index.txt # cat /etc/pki/tls/openssl.cnf | sed -e 's/\/etc\/pki\/CA/\./' | sed -e 's/\.\/demoCA/\./' > openssl.cnf # openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config openssl.cnf # openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 3650 -config openssl.cnf # openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem # openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem # cp cacert.pem /etc/postfix # grep -B 100 "END PRIVATE KEY" newreq.pem > /etc/postfix/key.pem # chmod 400 /etc/postfix/key.pem # cp newcert.pem /etc/postfix/cert.pem
smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/key.pem smtpd_tls_cert_file = /etc/postfix/cert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Create empty file named smtpd_tls_session_cache in /var/lib/postfix/
# cp /dev/null /var/lib/postfix/smtpd_tls_session_cache
Reload postfix
# postfix reload
Test with telneting server on port 25
telnet smtp.domain.net 25 Trying 202.127.97.230... Connected to smtp.domain.net. Escape character is '^]'. 220 smtp.domain.net ESMTP Postfix (2.6.5-20090828) ehlo host.domain.com 250-smtp.domain.net 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN STARTTLS 220 2.0.0 Ready to start TLS
Or alternatively test it with openssl s_client command
# openssl s_client -connect smtp.domain.net:25 -starttls smtp CONNECTED(00000003) --- SNIPPED --- --- SNIPPED --- --- SNIPPED --- --- Certificate chain --- SNIPPED --- --- SNIPPED --- --- SNIPPED ------ Server certificate -----BEGIN CERTIFICATE----- MIIEPDCCAySgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCSUQx FDASBgNVBAgMC0RLSSBKYWthcnRhMRAwDgYDVQQHDAdKYWthcnRhMRcwFQYDVQQK --- SNIPPED --- -----END CERTIFICATE----- --- SNIPPED --- --- No client certificate CA names sent --- SSL handshake has read 3226 bytes and written 349 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: --- SNIPPED --- Session-ID-ctx: Master-Key: --- SNIPPED --- Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - 88 ac 8b e5 ed 78 bf 89-dd a4 27 e4 c8 69 63 46 .....x....'..icF 0010 - e7 e9 28 2a 04 03 5e 24-3b 24 78 2c 5d f5 94 1f ..(*..^$;$x,]... 0020 - 3d ca f4 44 bf 81 4f 1b-28 f1 2f 78 eb 50 9a 5a =..D..O.(./x.P.Z --- SNIPPED --- Compression: 1 (zlib compression) Start Time: 1260492174 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- 250 DSN quit 221 2.0.0 Bye closed
We’re done, good luck 🙂
One Response to “Postfix TLS Support On Fedora 12”
Comments (1)
Thanks for this great guide. You are a postfix genius.