Since Postfix 2.2 release TLS support is included if compiled in. See: http://www.postfix.org/TLS_README.html.
Just go to https://www.cacert.org/ and join CAcert.org and fill in your details. There is also short process description available on their site. You'll get mail back to verify that you can read email on address you provided. After login, add domain and service will try to verify that you can read mail on one of following accounts: root, hostmaster, postmaster, admin, webmaster or email addresses that can be found on whois data of domain that you provided. Remember that only after you have verified your domain you can start adding servers that work on that domain.
Certificate request is your public key to be signed by certificate authority. Creating it goes like this: (Note that Common Name is only relevant info, all other fields will be discard from cert by issuer.)
$ su - Password: mkdir /etc/postfix/tls chown root:root /etc/postfix/tls chmod 0500 /etc/postfix/tls cd /etc/postfix/tls openssl req -nodes -newkey rsa:2048 -keyout privatekey.pem -out csr.pem Generating a 2048 bit RSA private key ...++++++ ........++++++ writing new private key to 'privatekey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FI State or Province Name (full name) [Some-State]:Uusimaa Locality Name (eg, city) []:Porvoo Organization Name (eg, company) [Internet Widgits Pty Ltd]:Petri Koistinen Home Organizational Unit Name (eg, section) []:Desktop Common Name (eg, YOUR name) []:joo.ath.cx Email Address []:petri.koistinen@iki.fi Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: chown root:root /etc/postfix/tls/privatekey.pem chmod 0400 /etc/postfix/tls/privatekey.pem chown root:root /etc/postfix/tls/csr.pem chmod 0400 /etc/postfix/tls/csr.pem
Private keys should belong to "root" and be readable only by root. Postfix loads private keys before dropping superuser privileges.
Request new server certificate from CAcert.org web site. This howto assume that you select Class 1 certificate. When you are asked for CSR paste content of /etc/postfix/tls/req.pem to box. It should look like this:
-----BEGIN CERTIFICATE REQUEST----- MIIB3TCCAUYCAQAwgZwxCzAJBgNVBAYTAkZJMRAwDgYDVQQIEwdVdXNpbWFhMQ8w DQYDVQQHEwZQb3J2b28xHTAbBgNVBAoTFFBldHJpIEtvaXN0aW5lbiBIb21lMRAw DgYDVQQLEwdEZXNrdG9wMRMwEQYDVQQDEwpqb28uYXRoLmN4MSQwIgYJKoZIhvcN AQkBFhVwb3N0bWFzdGVyQGpvby5hdGguY3gwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAMRUl2qyye2osTKiFKUKml3/TyJ3KF0g98fMAZ2r3guyA876+N9QZQhs 9i9aCBCzAFmkbxnHwY4vRkmXp5NI34wQpypPw4rfcB3XK73XlNokBECQQfDHgsdL ekJPrJ5nClJ0oGkPSmiZn4q5rBx3gLp6Mqf2kzR5kPmaHT9WXppVAgMBAAGgADAN BgkqhkiG9w0BAQQFAAOBgQA7OqGhJ52NEaj4lVQgHGHOwPOd0sUQbJ8CiTwfnDS7 sDOktEFkH/kO8NZaes+eTn0diS/0wSf4JdP7nFc4ajEhIIIz49F8/Sukim8l0Ae5 FdwS9eQZ7lvDusvAxcfBnEl+WX19+/qE2fX6sd1FOa6K/PBxF6ViS/MK9kZT63z3 MQ== -----END CERTIFICATE REQUEST-----
You should also verify on content of request with
openssl req -in /etc/postfix/tls/csr.pem -text -verify -noout
before sending it.
Copy certificate from web page and put in /etc/postfix/tls/cert.pem file. Remember to do
chown root:postfix /etc/postfix/tls/cert.pem chmod a=r /etc/postfix/tls/cert.pem
so that everybody can read it. You check contents of this file with
openssl x509 -in /etc/postfix/tls/cert.pem -text -noout
command, Validity and Subject fields should be checked at least.
It you run Debian or Ubuntu and have installed ca-certificates package and chosen CAcert.org root certificate to be used you can skip this part.
wget -nv https://www.cacert.org/certs/root.crt -O /etc/postfix/tls/root.crt chown root:postfix /etc/postfix/tls/root.crt chmod a=r /etc/postfix/tls/root.crt
Here is the CAcert.org root certificate
-----BEGIN CERTIFICATE----- MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ 8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg 18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD -----END CERTIFICATE-----
You can examine root certificate in detail with this command
openssl x509 -in /etc/postfix/tls/root.crt -text -noout
It is important that root certificate is good and not tampered. You should see exactly this as output of that command:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
Not Before: Mar 30 12:29:49 2003 GMT
Not After : Mar 29 12:29:49 2033 GMT
Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
e5:a1:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
X509v3 Authority Key Identifier:
keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
serial:00
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
URI:https://www.cacert.org/revoke.crl
Netscape CA Revocation Url:
https://www.cacert.org/revoke.crl
Netscape CA Policy Url:
http://www.cacert.org/index.php?id=10
Netscape Comment:
To get your own certificate for FREE head over to http://www.cacert.org
Signature Algorithm: md5WithRSAEncryption
28:c7:ee:9c:82:02:ba:5c:80:12:ca:35:0a:1d:81:6f:89:6a:
99:cc:f2:68:0f:7f:a7:e1:8d:58:95:3e:bd:f2:06:c3:90:5a:
ac:b5:60:f6:99:43:01:a3:88:70:9c:9d:62:9d:a4:87:af:67:
58:0d:30:36:3b:e6:ad:48:d3:cb:74:02:86:71:3e:e2:2b:03:
68:f1:34:62:40:46:3b:53:ea:28:f4:ac:fb:66:95:53:8a:4d:
5d:fd:3b:d9:60:d7:ca:79:69:3b:b1:65:92:a6:c6:81:82:5c:
9c:cd:eb:4d:01:8a:a5:df:11:55:aa:15:ca:1f:37:c0:82:98:
70:61:db:6a:7c:96:a3:8e:2e:54:3e:4f:21:a9:90:ef:dc:82:
bf:dc:e8:45:ad:4d:90:73:08:3c:94:65:b0:04:99:76:7f:e2:
bc:c2:6a:15:aa:97:04:37:24:d8:1e:94:4e:6d:0e:51:be:d6:
c4:8f:ca:96:6d:f7:43:df:e8:30:65:27:3b:7b:bb:43:43:63:
c4:43:f7:b2:ec:68:cc:e1:19:8e:22:fb:98:e1:7b:5a:3e:01:
37:3b:8b:08:b0:a2:f3:95:4e:1a:cb:9b:cd:9a:b1:db:b2:70:
f0:2d:4a:db:d8:b0:e3:6f:45:48:33:12:ff:fe:3c:32:2a:54:
f7:c4:f7:8a:f0:88:23:c2:47:fe:64:7a:71:c0:d1:1e:a6:63:
b0:07:7e:a4:2f:d3:01:8f:dc:9f:2b:b6:c6:08:a9:0f:93:48:
25:fc:12:fd:9f:42:dc:f3:c4:3e:f6:57:b0:d7:dd:69:d1:06:
77:34:0a:4b:d2:ca:a0:ff:1c:c6:8c:c9:16:be:c4:cc:32:37:
68:73:5f:08:fb:51:f7:49:53:36:05:0a:95:02:4c:f2:79:1a:
10:f6:d8:3a:75:9c:f3:1d:f1:a2:0d:70:67:86:1b:b3:16:f5:
2f:e5:a4:eb:79:86:f9:3d:0b:c2:73:0b:a5:99:ac:6f:fc:67:
b8:e5:2f:0b:a6:18:24:8d:7b:d1:48:35:29:18:40:ac:93:60:
e1:96:86:50:b4:7a:59:d8:8f:21:0b:9f:cf:82:91:c6:3b:bf:
6b:dc:07:91:b9:97:56:23:aa:b6:6c:94:c6:48:06:3c:e4:ce:
4e:aa:e4:f6:2f:09:dc:53:6f:2e:fc:74:eb:3a:63:99:c2:a6:
ac:89:bc:a7:b2:44:a0:0d:8a:10:e3:6c:f2:24:cb:fa:9b:9f:
70:47:2e:de:14:8b:d4:b2:20:09:96:a2:64:f1:24:1c:dc:a1:
35:9c:15:b2:d4:bc:55:2e:7d:06:f5:9c:0e:55:f4:5a:d6:93:
da:76:ad:25:73:4c:c5:43
I hope CAcert.org root certificate will be shipped some day with OpenSSL by default, but in the meanwhile we need add it. Finding where OpenSSL root certificates are stored can be little bit tricky. With Debian (or Ubuntu) directory is /usr/lib/ssl/certs. You can install it like this: (Debian ca-certificates users must not do this.)
cp /etc/postfix/tls/root.crt /usr/lib/ssl/certs/CAcert.org_Root_Certificate.pem c_rehash /usr/lib/ssl/certs
In case you don't have that c_rehash perl script you can download it here. I hope it works.
After installation of root certificate, you should test installation like this:
petri@dsl-prvgw1nf5:/etc/postfix/tls$ openssl verify /etc/postfix/tls/cert.pem /etc/postfix/tls/cert.pem: OK
If installation failed you probably get message like this:
petri@dsl-prvgw1nf5:/etc/postfix/tls$ openssl verify /etc/postfix/tls/cert.pem /etc/postfix/tls/cert.pem: /CN=joo.ath.cx error 20 at 0 depth lookup:unable to get local issuer certificate
Add this configuration to /etc/postfix/main.cf if that's where your main.cf is.
# TLS PART START smtp_tls_CAfile = /etc/postfix/tls/root.crt smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_security_level = may smtp_tls_loglevel = 1 smtpd_tls_CAfile = /etc/postfix/tls/root.crt smtpd_tls_cert_file = /etc/postfix/tls/cert.pem smtpd_tls_key_file = /etc/postfix/tls/privatekey.pem smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes # TLS PART END
Debian ca-certificates users should alternatively do same except on these lines
... smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt ... smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt ...
Make sure that $data_directory is set.
You (and I) probably should learn how to add other than CAcert.org root certificates too. By the way, btree databases need Berkeley DB support.
First you could test your own server by "telnet localhost 25" and saying "EHLO localhost" checking if you can see "STARTTLS" greeting. If you do, just say "STARTTLS" and check what server replies back and check what Postfix log files says.
Then next send message between two servers that support TLS and have CAcert.org root certificates installed. Receiving server should have mail log looking like this:
Oct 16 17:18:23 dsl-prvgw1ib8 postfix/smtpd[2921]: connect from dsl-prvgw1nf5.dial.inet.fi[80.223.61.245] Oct 16 17:18:23 dsl-prvgw1ib8 postfix/smtpd[2921]: setting up TLS connection from dsl-prvgw1nf5.dial.inet.fi[80.223.61.245] Oct 16 17:18:24 dsl-prvgw1ib8 postfix/smtpd[2921]: fingerprint=C9:54:81:FB:D4:05:05:32:CA:1C:8D:0B:C8:7E:58:E2 Oct 16 17:18:24 dsl-prvgw1ib8 postfix/smtpd[2921]: Verified: subject_CN=joo.ath.cx, issuer=CA Cert Signing Authority Oct 16 17:18:24 dsl-prvgw1ib8 postfix/smtpd[2921]: TLS connection established from dsl-prvgw1nf5.dial.inet.fi[80.223.61.245]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Oct 16 17:18:24 dsl-prvgw1ib8 postfix/smtpd[2921]: 19EB52019D88D: client=dsl-prvgw1nf5.dial.inet.fi[80.223.61.245]
And header of received message should have header looking like this:
Received: from dsl-prvgw1nf5.dial.inet.fi (dsl-prvgw1nf5.dial.inet.fi [80.223.61.245])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "joo.ath.cx", Issuer "CA Cert Signing Authority" (verified OK))
by dsl-prvgw1ib8.dial.inet.fi (Postfix) with ESMTP id 19EB52019D88D
for <petri@juu.ath.cx>; Sat, 16 Oct 2004 17:18:24 +0300 (EEST)
Everything should be done now. Please note, that if receiver's server don't have CAcert.org root certificate installed header will look like this:
...
(Client CN "joo.ath.cx", Issuer "CA Cert Signing Authority" (not verified))
...
Perhaps you could ask nicely if CAcert.org root certificate could be installed on receiving server.
Even if your certificate is not verified, your mail will be delivered, if it's accepted by receiving server. Not verified means that servers don't trust each others via Certificate Authority (CA) that is common to both parties. Without verification, you can not know if your communication is tampered in between, but still the communication is encrypted between the servers. For more information see for example Wikipedia article on a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack"> Man in the middle attack.Scenario
Here is a way to enable relay based on TLS certificate trust rather than usual IP address trust (see mynetworks option).
Client (x40.daemon.fi) configuration in main.cf:
myhostname = x40.daemon.fi alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases inet_interfaces = loopback-only relayhost = daemon.fi:submission # TLS PART START smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_cert_file = /etc/postfix/tls/cert.pem smtp_tls_key_file = /etc/postfix/tls/privatekey.pem smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_security_level = fingerprint smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_ciphers = high smtp_tls_fingerprint_digest = sha1 # Following match to relayhost. This is fingerprint of shell.daemon.fi certificate. smtp_tls_fingerprint_cert_match = D2:2A:C6:BE:25:B5:2C:30:90:C9:3D:ED:51:CB:8B:1C:92:AF:C1:0E # If inet_interfaces = loopback-only, this servers only localhost and securing that connection is pretty useless smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_cert_file = /etc/postfix/tls/cert.pem smtpd_tls_key_file = /etc/postfix/tls/privatekey.pem smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes # TLS PART END
Server (shell.daemon.fi) configuration
master.cf addtion:
submission inet n - - - - smtpd -o smtpd_tls_req_ccert=yes -o smtpd_tls_security_level=encrypt -o smtpd_tls_fingerprint_digest=sha1 -o smtpd_relay_restrictions=$submission_cert_access -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 -o smtpd_tls_mandatory_ciphers=high
main.cf addition:
submission_cert_access = check_ccert_access hash:/etc/postfix/cert-access, reject
content of /etc/postfix/cert-access
# Following match to client cert. This is fingerprint of x40.daemon.fi certificate. DA:7A:18:8D:ED:F1:5F:4F:0A:46:BC:60:3B:BB:5E:A9:61:3E:6D:F7 OK # add here multiple client certs
Remember to do
postmap /etc/postfix/cert-access
root@shell:~# openssl x509 -noout -fingerprint -sha1 -in /etc/postfix/tls/cert.pem SHA1 Fingerprint=D2:2A:C6:BE:25:B5:2C:30:90:C9:3D:ED:51:CB:8B:1C:92:AF:C1:0E
With help of these instructions you can enable email relay for certain users which present verifiable certificate with certain fingerprint. It doesn't matter on which IP address mail relay client is connecting from. This could be useful for mobile users. Note that this will use submission port 587/tcp on server side. It's far more commonly open that ordinary 25/tcp SMTP port. See RFC 6409 for more info.
You can provide feedback about this document to me: petri.koistinen@iki.fi. All feedback is welcome, whatever it's about tiny typos or major misconceptions. Don't be afraid to ask anything or don't worry about flooding my mailbox, so far I have only got 20 replies by email. If you just got TLS working with help of this document, drop me a line or send message me on IRC, details on front page of my home pages. You might also be interest about my spam filtering configuration for Postfix.
And remember that this doesn't provide end-to-end security for email, but it helps a bit.
Document author: Petri T. Koistinen.
Document last modified: Tuesday, 25-Aug-2015 14:53:21 EEST
Please, use this permanent URL for linking to this document:
http://www.iki.fi/petri.koistinen/postfix/postfix-tls-cacert.shtml