Activities

February 2017
M T W T F S S
« Jan   Apr »
 12345
6789101112
13141516171819
20212223242526
2728  

How do I enable TLS on postfix mail server

One of the clients complaints me that they are getting warning on the email those sent to Gmail.com domain. They are using 25 smtp port to send email using sql based mail server. So anybody in between the network can tap the email content since it been send through non-encrypted emails.

So my plan is to enable tls handshake on my Postfix smtp server.

No-tls_smtp

The above screenshot says me that our mails are non-encrypted while communicating with outside. So we need to tweak some postfix setting in order to enable tls encryption. Edit the file “/etc/postfix/main.cf” file and add the lines at the bottom. Pls note that I’m using a valid ssl certificate for tls handshaking. You can also create self signed certificate for this purpose. No need to buy SSL for this.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/private/postfix.key -out /etc/httpd/ssl/private/postfix.crt
############### Enabling tls on postfix ###############
# logging
smtpd_tls_loglevel = 1
# Allow use of TLS but make it optional
smtp_use_tls=yes
# Disable SSLv2/3 as they are vulnerable
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
# Insist on stronger ciphers
smtpd_tls_ciphers = high
smtp_tls_ciphers = high
# keys
smtp_tls_cert_file = /etc/httpd/ssl/private/postfix.crt
smtp_tls_key_file = /etc/httpd/ssl/private/postfix.key

Next restart postfix server and test it.

 [root@Web01 liju]#/etc/init.d/postfix restart

Now you should be able to send email over tls encryption.

TLS_working

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>