Linux Postfix SMTP (Mail Server) SSL Certificate Installations and Configuration

by on July 12, 2007 · 16 comments· LAST UPDATED January 20, 2009

in , ,

In this tutorial you will learn about Installing SSL Certificate (Secure Server Certificate) to secure communication between Postfix SMTP server and mail client such as Outlook or Thunderbird.

You need to generate a CSR certificate for CA, to use with your Postfix mail server. This tutorial instuctions are tested under:

  1. Redhat enterprise Linux 5
  2. CentOS 5 Server
  3. FreeBSD 7 server

Procedure for creating a CSR on postfix MTA is just like web server. You need to use OpenSSL which is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards under Linux / UNIX. To configure postfix SSL SMTP you need 3 files

  • The private key generated using step #1
  • Your .crt certificate file (it will be send by CA)
  • CA certificate (also known as

Let us see how to create certificate for Postfix smtp server called smtp.theos.in.

Step # 1: Generating a CSR and private key for Postfix SMTP

Type the command to create a SSL CSR for a mail server called smtp.theos.in:
# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl
# openssl req -new -nodes -keyout smtp.theos.in.key -out smtp.theos.in.csr

Most important is Common Name, in our example it is set to smtp.theos.in. For the common name, you should enter the full mail server address of your site.

Sample output:

Generating a 1024 bit RSA private key
...........++++++
........................++++++
writing new private key to 'smtp.theos.in.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:MHA
Locality Name (eg, city) []:Pune
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NIXCRAFT LTD
Organizational Unit Name (eg, section) []:ITDEPT
Common Name (eg, YOUR name) []:smtp.theos.in
Email Address []:ssladmin@staff.theos.in
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:myPassword
An optional company name []:NIXCRAFT LTD

Step # 2: Submit CSR to CA

Now a CSR is generated. All you have to do is copy and paste the contents of the CSR file into the SSL certificate providers (aka CA) account. Never ever give out your private key or certificate to anyone. After verification you should receive a zip file with certificates.

Step # 3 : Install your SSL certificate

Unzip file and upload certificates to /etc/postfix/ssl directory.

Step # 4: Configure Postfix SMTP for SSL certificate

Open postfix smtp configuration file and append following directive:
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtp.theos.in.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.theos.in.crt
smtpd_tls_CAfile = /etc/postfix/ssl/caroot.crt
smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Save and close the file. Restart or reload postfix service
# postfix reload.
OR
# /etc/init.d/postfix restart

Note I have SASL configured as follows in main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options=noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes
broken_sasl_auth_clients = yes

Test Postfix TLS (SSL)

In order to test the TLS, just telnet smpt.theos.in on port 25 (you must see STARTTLS and AUTH lines):
$ telnet smpt.theos.in 25
Output:

Trying 202.54.221.5...
Connected to smtp.theos.in.
Escape character is '^]'.
220 smtp.theos.in ESMTP Postfix
ehlo smtp.theos.in
250-smtp.theos.in
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

And mail log file...
# tail -f /var/log/maillog
Output:

Jul 12 14:25:10 smtp postfix/smtpd[28817]: connect from unknown[84.167.114.61]
Jul 12 14:25:11 smtp postfix/smtpd[28817]: setting up TLS connection from unknown[84.167.114.61]
Jul 12 14:25:11 smtp postfix/smtpd[28817]: TLS connection established from unknown[84.167.114.61]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 12 14:25:12 smtp postfix/smtpd[28817]: B3A0A9D8443: client=unknown[84.167.114.61], sasl_method=PLAIN, sasl_username=user1@theos.in
Jul 12 14:25:13 smtp postfix/cleanup[28807]: B3A0A9D8443: message-id=<46968015.50400@theos.in>
Jul 12 14:25:13 smtp postfix/qmgr[28806]: B3A0A9D8443: from=, size=632, nrcpt=1 (queue active)
Jul 12 14:25:14 smtp postfix/smtpd[28817]: disconnect from unknown[122.167.114.61]
Jul 12 14:25:14 smtp postfix/smtp[28821]: B3A0A9D8443: to=, relay=aspmx.l.google.com[209.85.163.27]:25, delay=2.1, delays=1.5/0/0.13/0.49, dsn=2.0.0, status=sent (250 2.0.0 OK 1184268314 n29si21297786elf)
Jul 12 14:25:14 smtp postfix/qmgr[28806]: B3A0A9D8443: removed

You can use same SSL security certificates with dovecot secure IMAPS / POP3S server.

See also:

If you just need self signed postfix SSL certificate please see this tutorial for more information.

Updated for accuracy.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 16 comments… read them below or add one }

1 BOK July 12, 2007 at 9:28 pm

I was using Postfix with SASL before but it seems it’s not needed anymore: just compile in TLS.
One this I get this warning on PF v2.4.3.1:

warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead

so it’s best to adapt that specific line, I guess…

Reply

2 BOK July 12, 2007 at 9:40 pm

Oops… add this information too, since I forgot to mention I use SASL through Dovecot IMAP/POP-server:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Reply

3 Raj July 12, 2007 at 9:41 pm

BOK says: just compile in TLS.

How do I find out – my postfix is compiled with TLS? Any idea ????

TIA

Reply

4 BOK July 12, 2007 at 9:53 pm

One is the maillog saying:
warning: TLS has been selected, but TLS support is not compiled in
Two is: wen using the above telnet-command to port 25 “STARTTLS” is missing.
FYI: FreeBSD is offering me the option to complile Postfix with TLS and SSL when running “make config”.

Reply

5 nixCraft July 13, 2007 at 9:47 am

Bok,

Thanks I’ve old version, may be I will update tonight :)

Reply

6 Teja August 7, 2007 at 10:38 am

hi ,
i have Redhat Linux Ent Ed. 4 and oracle Application Server 10g Release 2.
I created the key using following commands.
$ openssl genrsa -des3 -out vcb.key 1024
$ openssl req -new -key vcb.key -out vcb.csr

Now i got the certificate from the CA

Please guide me how can i install the SSL.
Regards,
teja
Abu Dhabi, UAE

Reply

7 Juha Vehnia January 27, 2009 at 2:43 pm

In order to get this work you also must install Dovecot and enable SASL authentication server.

yum install dovecot

To enable authentication server, edit /etc/dovecot.conf and adding the following:

/some/where/dovecot.conf:
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}

Finally restart dovecot IMAP server with the command:

/etc/init.d/dovecot restart

Reply

8 Eranga Wasantha May 5, 2009 at 7:59 am

The error when testing the email is:
Send Test Email Message: The specified server was found, but there was no response from the server. Please verify that the port and SSL information is correct. To access these settings close this dialogue, then click More Settings on the Advanced tab.

Log Onto Incoming Mail Server (POP 3): The specified server was found, but there was no response from the server. Please verify that the port and SSL information is correct. To access these settings close this dialogue, then click More Settings on the Advanced tab.

Reply

9 Leonardo June 10, 2011 at 8:31 pm

Hi, the certificate used for postfix is the same used on the webserver or is it a specific certificate for this?

Reply

10 Nate July 6, 2011 at 3:03 pm

Hi,

I have a question about securing the server-to-server communications with postfix. What needs to be done to force the use of TLS enabled connections?

Reply

11 pawan saini October 17, 2011 at 4:41 pm

i am using postfix with SASL & TLS. the issue is when i telnet postfix server on port 25 it shows the follwing output

220 pawansaini.com ESMTP Postfix
ehlo pawansaini.com
250-pawansaini.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

1) why doesnt it show AUTH parameters???
2) when i remove the TLS then it shows the AUTH parameter in EHLO???

Reply

12 david mark May 13, 2012 at 1:44 am

pls i need to insatalle smtp to be able to send millions of email in 5minuite i dont know how to installe cento5 or postix i need someone to help me out

Reply

13 Charlie Nielsen June 10, 2012 at 11:09 pm

Please note that the above is considered unsecure now. You’ll need a key length of 2048 bits, so try this one instead:

openssl req -nodes -newkey rsa:2048 -keyout smtp.theos.in.key -out smtp.theos.in.csr

Reply

14 ugh July 30, 2013 at 7:58 pm

“Open postfix smtp configuration file” is a massive tutorial fail because

“golly, sure hope i pick the right file”

“stfu noob, everybody knows its main.cf. were you raised in a barn?”

Reply

15 AJ February 23, 2014 at 1:41 pm

I followed your instructions but it seems I am not capable enough to make something like this. May I know if how can I remove the directory or files created sing this tutorial to reset or bring back postfix to its original setting files?

Reply

16 dxman April 1, 2014 at 5:59 pm

Admin,
my postfix is sending spam mails , mail queue is showing that from gmail or yahoo accounts are sending mail to their own email address , example , if email is abc@gmail.com then in mail.q it is like this
from labc@gmail.com to abc@gmail.com

please suggest what to do

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: