SSL how to: install ssl on Postfix smtp server

Following describes how to get StartSSL certificates working with lighttpd.First of all read how to get free ssl certificate from StartSSL and actually create certificates or you can read to create self-signed certificate and use self-signed certificates and use them here changed the steps accordignly.

Than lets create all required by Postfix files using certificates that we have already created.

$ wget http://www.startssl.com/certs/ca-bundle.crt -O ca-bundle.crt
$ cat ca-bundle.crt > /etc/ssl/certs/ca-bundle.crt
$ chmod 644 /etc/ssl/certs/ca-bundle.crt
$ cat /etc/ssl/certs/mail_certificate.pem > /etc/ssl/certs/postfix.pem
$ cat /etc/ssl/private/mail_privatekey.pem > /etc/ssl/private/postfix.pem
$ chown root:ssl-cert /etc/ssl/private/postfix.pem
$ chmod 644 /etc/ssl/private/postfix.pem
$ chown root:root /etc/ssl/certs/postfix.pem
$ chmod 444 /etc/ssl/certs/postfix.pem

The TLS portion of the Postfix config should look something like this.

smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/ssl/certs/postfix.pem
smtp_tls_key_file = /etc/ssl/private/postfix.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
  
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
 
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom

Now lets test smtp for TLS using telnet:

$ telnet mail.example.org 25

You should get a banner similar to this.

 Trying 127.0.0.1...
 Connected to mail.example.org.
 Escape character is '^]'.
 220 mail.flexion.org NO UCE ESMTP 

Issue a EHLO command

EHLO test.com 

You should not see something like this. Check you can see 250-STARTTLS.

 250-mail.example.org
 250-PIPELINING
 250-SIZE 52428800
 250-ETRN
 250-STARTTLS
 250-AUTH PLAIN LOGIN
 250-AUTH=PLAIN LOGIN
 250-ENHANCEDSTATUSCODES
 250-8BITMIME
 250 DSN

Issue the STARTTLS command

STARTTLS 

If you see the following, you are all set.

220 2.0.0 Ready to start TLS

 

Posted by:
Enjoyed this post? Share and Leave a comment below, thanks! :)