This page is out of date, it has been replaced by a newer version which you can find here.
This is an optional feature you don’t need to do to get everything working but if you want a secure setup you should do this. TLS will allow you to setup an encrypted connection between the server and the mail client and authenticate the user securely meaning that the clear-text password will be send over a SSL encrypted connection.
First you need to buy yourself a certificate at Thawte or Verisign, but as we are building a server on the cheap we are going to create our own certificate:
Just open a Terminal and execute the following command as root in the directory /etc/postfix:
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509
This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. It will be valid for a year, if you want a longer period just increase the number after the -days option.
The only problem you will encounter when using your own certificates is that users explicitly have to accept and verify your root certificate in contrast with certificates you buy which are already accepted in most email clients. If they for instance send their email for the first time via your secure server they need to accept your certificate. When using Mail.app in OS X they will get the following warning:
By pressing continue they will accept the certificate and won’t be asked again.
Now you have created the certificate you will have to configure Postfix to make use of it and to enforce the usage of TLS to securely communicate with the email client. You’ll have to add the following lines to file main.cf in /etc/postfix:
smtpd_enforce_tls = no
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
Issue the command postfix reload to refresh the configuration of your mail server and your ready to test. Start a terminal and issue the following command:
telnet yourmailserveraddress 25
The server will answer with:
Trying yourmailserveraddress...
Connected to yourmailserveraddress.
Escape character is ^]
220 yourmailserveraddress ESMTP Postfix
Then type in:
EHLO yourmailserveraddress
And again your server will answer it’s capabilities:
250-yourmailserveraddress
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250 8BITMIME
Now it’s time to test TLS and enter in capitals:
STARTTLS
and the server should respond with:
220 Ready to start TLS
Then you know it will work, you could give your favourite email client a try.
Next page ->, configuring IMAP for SSL and TLS.
February 6th, 2006 at 8:10 pm
Hey — getting an error when I try to test in the console stating it cannot find /etc/srvtab — and the SMTP session returns a response of failure do to internal error. While checking — I found that message means that tls is configured to use kerberos… fairly sure I followed the steps… seend this? The smtpd.conf file was created which should have told it what types of auth to accept correct? Do we somehow need to not include kerberos on the compile? Thanks! Great site!
Richard5: The problem is solved, Tim needed to recreate his certificate and add a line he forgot to the configuration file.
April 15th, 2006 at 6:53 am
I have spent endless hours and can’t get the telnet to port 25 to work. I get the same error.
telnet: connect to address 192.168.0.3: Connection refused
telnet: Unable to connect to remote host
network utility port scan only shows port 80 open in the server. I have tried the Apple firewall, Flying Butress, sbin/service and can’t get past the error. any suggestion would be appreciated.
Thanks,
Dennis
July 19th, 2006 at 10:19 pm
Hi Richard,
I set up now the ISP on an Intel Mac. It work fine but:
When I use TLS in the smtp configuration to send a mail from the Mail.app in Mac and from Outlook on a Win machine everthing work fine, but when I use Thunderbird I can not use the TLS encryption. I always got an SSL accept error -1 in the mail log. Do you have any ideas what this can be??
Thanks
Dani
January 18th, 2007 at 8:53 pm
I am gettin the same error as Daniel in Apple Mail.
Jan 18 10:47:20 skooby postfix/smtpd[7581]: SSL_accept error from xxx.xxx.com[xx.xx.xx.xx]: -1
Jan 18 10:47:20 skooby postfix/smtpd[7581]: lost connection after STARTTLS from xxx.xxx.com[xx.xx.xx.xx]
IMAP works fine, but cant seem to connect to send mail. Any ideas?
-austin
February 25th, 2008 at 3:30 am
I am having a problem where the STARTTLS won’t even show up in the EHLO list. I’ve followed all your instructions from top to bottom, and still I don’t get the STARTTLS option…
I am stuck… Any ideas?
April 10th, 2008 at 7:10 am
Thanks for the great postfix instructions, this also works on Debian boxes.
The other item users may need to do is uncomment the line starting with #submission in the postfix master.cf file.
To get postfix listening on a secure port.
http://www.wrightthisway.com/Articles/cat_postfix.html