{"id":888,"date":"2019-10-02T07:50:12","date_gmt":"2019-10-02T07:50:12","guid":{"rendered":"http:\/\/shijuvarghese.com\/?p=888"},"modified":"2025-07-10T03:14:56","modified_gmt":"2025-07-10T03:14:56","slug":"configuring-tls-in-postfix","status":"publish","type":"post","link":"http:\/\/shijuvarghese.com\/?p=888","title":{"rendered":"Configuring TLS in Postfix"},"content":{"rendered":"<p>This post is a continuation on previous posts.\u00a0It is expected that you have a working Postfix server with Virtual Domain hosting, Dovecot based authentication and filtering using\u00a0Spamassassin.<\/p>\n<p>The previous post in this series can be found <a href=\"http:\/\/shijuvarghese.com\/?p=174\">here<\/a>. The main purpose of this post to configure TLS in Postfix so that the traffic, mainly the authentication is secure using encryption technology.<\/p>\n<p>It is expected that you are aware of creating SSL certificate and the private key. In this the public key or the cert file will be distributed to public, and the &#8220;key&#8221; file will be the file used for encryption which should be kept securely in the server, with no access to public.<\/p>\n<p>Take a back-up of the present postfix configuration file &#8220;<strong>\/etc\/postfix\/main.cf<\/strong> &#8221;<\/p>\n<p>It is assumed the encryption keys are stored in the below locations:<\/p>\n<ul>\n<li><em>\/etc\/postfix\/certs\/MyCertificate.crt<\/em><\/li>\n<li><em>\/etc\/postfix\/certs\/MyKey.key<\/em><\/li>\n<\/ul>\n<p>Open the file using the file editor of your choice. Append the below lines at the end of the file:<\/p>\n<p><strong>[root@star postfix]#<\/strong> vi\u00a0\/etc\/postfix\/main.cf<\/p>\n<p style=\"padding-left: 30px;\"><em>##### SMTPD connection coming to your server #####<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>smtpd_tls_cert_file = \/etc\/postfix\/certs\/MyCertificate.crt<\/em><br \/>\n<em>smtpd_tls_key_file = \/etc\/postfix\/certs\/MyKey.key<\/em><br \/>\n<em>smtpd_tls_loglevel = 1<\/em><br \/>\n<em>smtpd_tls_received_header = yes<\/em><br \/>\n<em>smtpd_tls_security_level = may<\/em><br \/>\n<em>smtpd_tls_session_cache_database = btree:\/var\/lib\/postfix\/smtpd_scache<\/em><br \/>\n<em>smtpd_tls_session_cache_timeout = 10800s<\/em><br \/>\n<em>smtpd_use_tls = yes<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>##### SMTP from your server to others<\/em><br \/>\n<em>smtp_tls_key_file = \/etc\/postfix\/certs\/MyKey.key<\/em><br \/>\n<em>smtp_tls_cert_file = \/etc\/postfix\/certs\/MyCertificate.crt<\/em><br \/>\n<em>smtp_tls_security_level = may<\/em><br \/>\n<em>smtp_tls_loglevel = 1<\/em><br \/>\n<em>smtp_tls_session_cache_database = btree:\/var\/lib\/postfix\/smtp_tls_session_cache<\/em><br \/>\n<em>smtp_use_tls = yes<\/em><\/p>\n<p>Now restart Postfix server<\/p>\n<p><strong>[root@star postfix]#<\/strong> systemctl restart postfix<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"text-decoration: underline;\">Configuration parameters in mail client such as MS Outlook, Thinderbird, etc\u00a0<\/span><\/p>\n<ul>\n<li><strong>SMTP Server name:<\/strong> Your server&#8217;s DNS name of IP<\/li>\n<li><strong>SMTP port:<\/strong> Usually TCP 587 (if configured in the server) or TCP 25<\/li>\n<li><strong>Connection security:<\/strong> STARTTLS<\/li>\n<li><strong>Authentication Method:<\/strong> Normal un-encrypted password<\/li>\n<\/ul>\n<ul>\n<li><strong>POP3\u00a0Server name:<\/strong>\u00a0Your server&#8217;s DNS name of IP<\/li>\n<li><strong>POP3\u00a0port:<\/strong>\u00a0Usually TCP\u00a0110<\/li>\n<li><strong>Connection security:<\/strong>\u00a0STARTTLS<\/li>\n<li><strong>Authentication Method:<\/strong>\u00a0Normal un-encrypted password<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>This post is a continuation on previous posts.\u00a0It is expected that you have a working Postfix server with Virtual Domain hosting, Dovecot based authentication and <a class=\"mh-excerpt-more\" href=\"http:\/\/shijuvarghese.com\/?p=888\" title=\"Configuring TLS in Postfix\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":1819,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,14],"tags":[],"class_list":["post-888","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-postfix","category-security"],"_links":{"self":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=888"}],"version-history":[{"count":5,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/888\/revisions"}],"predecessor-version":[{"id":894,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/888\/revisions\/894"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/media\/1819"}],"wp:attachment":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=888"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}