This page is out of date, it has been replaced by a newer version which you can find here.
This is an optional feature you don’t need to do to get everything working but if you want a secure setup you should do this. TLS will allow you to setup an encrypted connection between the server and the mail client and authenticate the user securely meaning that the clear-text password will be send over a SSL encrypted connection.
First you need to buy yourself a certificate at Thawte or Verisign, but as we are building a server on the cheap we are going to create our own certificate:
Just open a Terminal and execute the following command as root in the directory
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509
This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. It will be valid for a year, if you want a longer period just increase the number after the -days option.
The only problem you will encounter when using your own certificates is that users explicitly have to accept and verify your root certificate in contrast with certificates you buy which are already accepted in most email clients. If they for instance send their email for the first time via your secure server they need to accept your certificate. When using Mail.app in OS X they will get the following warning:
By pressing continue they will accept the certificate and won’t be asked again.
Now you have created the certificate you will have to configure Postfix to make use of it and to enforce the usage of TLS to securely communicate with the email client. You’ll have to add the following lines to file
smtpd_enforce_tls = no
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
Issue the command
postfix reload to refresh the configuration of your mail server and your ready to test. Start a terminal and issue the following command:
telnet yourmailserveraddress 25
The server will answer with:
Connected to yourmailserveraddress.
Escape character is ^]
220 yourmailserveraddress ESMTP Postfix
Then type in:
And again your server will answer it’s capabilities:
Now it’s time to test TLS and enter in capitals:
and the server should respond with:
220 Ready to start TLS
Then you know it will work, you could give your favourite email client a try.
Next page ->, configuring IMAP for SSL and TLS.