Configuring TLS in Postfix


This post is a continuation on previous posts. It is expected that you have a working Postfix server with Virtual Domain hosting, Dovecot based authentication and filtering using Spamassassin.

The previous post in this series can be found here. The main purpose of this post to configure TLS in Postfix so that the traffic, mainly the authentication is secure using encryption technology.

It is expected that you are aware of creating SSL certificate and the private key. In this the public key or the cert file will be distributed to public, and the “key” file will be the file used for encryption which should be kept securely in the server, with no access to public.

Take a back-up of the present postfix configuration file “/etc/postfix/

It is assumed the encryption keys are stored in the below locations:

  • /etc/postfix/certs/MyCertificate.crt
  • /etc/postfix/certs/MyKey.key

Open the file using the file editor of your choice. Append the below lines at the end of the file:

[root@star postfix]# vi /etc/postfix/

##### SMTPD connection coming to your server #####

smtpd_tls_cert_file = /etc/postfix/certs/MyCertificate.crt
smtpd_tls_key_file = /etc/postfix/certs/MyKey.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 10800s
smtpd_use_tls = yes

##### SMTP from your server to others
smtp_tls_key_file = /etc/postfix/certs/MyKey.key
smtp_tls_cert_file = /etc/postfix/certs/MyCertificate.crt
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes

Now restart Postfix server

[root@star postfix]# systemctl restart postfix


Configuration parameters in mail client such as MS Outlook, Thinderbird, etc 

  • SMTP Server name: Your server’s DNS name of IP
  • SMTP port: Usually TCP 587 (if configured in the server) or TCP 25
  • Connection security: STARTTLS
  • Authentication Method: Normal un-encrypted password
  • POP3 Server name: Your server’s DNS name of IP
  • POP3 port: Usually TCP 110
  • Connection security: STARTTLS
  • Authentication Method: Normal un-encrypted password