Thursday, March 18, 2010

Linux Postfix SMTP (Mail Server) SSL Certificate Installations and Configuration

SkyHi @ Thursday, March 18, 2010

In this tutorial you will learn about Installing SSL Certificate (Secure Server Certificate) to secure communication between Postfix SMTP server and mail client such as Outlook or Thunderbird.

You need to generate a CSR certificate for CA, to use with your Postfix mail server. This tutorial instuctions are tested under:

  1. Redhat enterprise Linux 5
  2. CentOS 5 Server
  3. FreeBSD 7 server

Procedure for creating a CSR on postfix MTA is just like web server. You need to use OpenSSL which is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards under Linux / UNIX. To configure postfix SSL SMTP you need 3 files

  • The private key generated using step #1
  • Your .crt certificate file (it will be send by CA)
  • CA certificate (also known as

Let us see how to create certificate for Postfix smtp server called

Step # 1: Generating a CSR and private key for Postfix SMTP

Type the command to create a SSL CSR for a mail server called
# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl
# openssl req -new -nodes -keyout -out

Most important is Common Name, in our example it is set to For the common name, you should enter the full mail server address of your site.

Sample output:

Generating a 1024 bit RSA private key
writing new private key to ''
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:<span style="color: rgb(255, 0, 0);"><strong>IN</strong></span>
State or Province Name (full name) [Some-State]:<span style="color: rgb(255, 0, 0);"><strong>MHA</strong></span>
Locality Name (eg, city) []:<span style="color: rgb(255, 0, 0);"><strong>Pune</strong></span>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<span style="color: rgb(255, 0, 0);"><strong>NIXCRAFT LTD</strong></span>
Organizational Unit Name (eg, section) []:<span style="color: rgb(255, 0, 0);"><strong>ITDEPT</strong></span>
Common Name (eg, YOUR name) []:<span style="color: rgb(255, 0, 0);"><strong></strong></span>
Email Address []:<span style="color: rgb(255, 0, 0);"><strong></strong></span>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<span style="color: rgb(255, 0, 0);"><strong>myPassword</strong></span>
An optional company name []:<span style="color: rgb(255, 0, 0);"><strong>NIXCRAFT LTD</strong></span>

Step # 2: Submit CSR to CA

Now a CSR is generated. All you have to do is copy and paste the contents of the CSR file into the SSL certificate providers (aka CA) account. Never ever give out your private key or certificate to anyone. After verification you should receive a zip file with certificates.

Step # 3 : Install your SSL certificate

Unzip file and upload certificates to /etc/postfix/ssl directory.

Step # 4: Configure Postfix SMTP for SSL certificate

Open postfix smtp configuration file and append following directive:
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/
smtpd_tls_cert_file = /etc/postfix/ssl/
smtpd_tls_CAfile = /etc/postfix/ssl/caroot.crt
smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Save and close the file. Restart or reload postfix service
# postfix reload.
# /etc/init.d/postfix restart

Note I have SASL configured as follows in
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes
broken_sasl_auth_clients = yes

Test Postfix TLS (SSL)

In order to test the TLS, just telnet on port 25 (you must see STARTTLS and AUTH lines):
$ telnet 25

Trying<br />Connected to<br />Escape character is '^]'.<br />220 ESMTP Postfix<br /><span style="color: rgb(0, 153, 0);"><strong>ehlo</strong></span><br /><br />250-PIPELINING<br />250-SIZE 10240000<br />250-ETRN<br />250-<span style="color: rgb(255, 0, 0);"><strong>STARTTLS</strong></span><br />250-<span style="color: rgb(255, 0, 0);"><strong>AUTH PLAIN LOGIN</strong></span><br />250-AUTH=PLAIN LOGIN<br />250-ENHANCEDSTATUSCODES<br />250-8BITMIME<br />250 DSN

And mail log file...
# tail -f /var/log/maillog

Jul 12 14:25:10 smtp postfix/smtpd[28817]: connect from unknown[]<br />Jul 12 14:25:11 smtp postfix/smtpd[28817]: setting up TLS connection from unknown[]<br />Jul 12 14:25:11 smtp postfix/smtpd[28817]: TLS connection established from unknown[]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)<br />Jul 12 14:25:12 smtp postfix/smtpd[28817]: B3A0A9D8443: client=unknown[], sasl_method=PLAIN,<br />Jul 12 14:25:13 smtp postfix/cleanup[28807]: B3A0A9D8443: message-id=<><br />Jul 12 14:25:13 smtp postfix/qmgr[28806]: B3A0A9D8443: from=<>, size=632, nrcpt=1 (queue active)<br />Jul 12 14:25:14 smtp postfix/smtpd[28817]: disconnect from unknown[]<br />Jul 12 14:25:14 smtp postfix/smtp[28821]: B3A0A9D8443: to=<>,[]:25, delay=2.1, delays=1.5/0/0.13/0.49, dsn=2.0.0, status=sent (250 2.0.0 OK 1184268314 n29si21297786elf)<br /><br /><br />Jul 12 14:25:14 smtp postfix/qmgr[28806]: B3A0A9D8443: removed</></>

You can use same SSL security certificates with dovecot secure IMAPS / POP3S server.

See also:

If you just need self signed postfix SSL certificate please see this tutorial for more information.

Updated for accuracy.