After securing your mail-relaying between postfix as smarthost and postfix on a road-warrior, the next step to do is securing the transport way. E-Mail is clear text! Every (machine) can read it! Think about a open WLAN. The hotspot-provider can read your Mail!
I've tested this setup with Debian Etch and Lenny (Postfix 2.3.8-2+etch1 and .2.5.5-1.1).
First you need certificates. In this setup, these are used to encrypt the mail-transport NOT for authentication. So you need no official certified version. you can create self-signed certificates or use such services like CACert.org.
First set up your Postfix-smarthost.
Edit the /etc/postfix/main.cf
Add the followed lines:
# sending over TLS/SSL smtp_tls_security_level = may
Now every communication with other Mailservers which offer TLS are automatically encrypted (NOT authenticated like https). Every certificate instance are accepted, also self-singned.
To offer TLS to other MTA's add this lines to your /etc/postfix/main.cf:
# receiving over TLS/SSL smtpd_tls_security_level = may # Keys and Certs # only needed to verify the certificate smtpd_tls_CAfile = /etc/postfix/<your-CACert.pem> # path to your private key (only root should have permissions on it) smtpd_tls_key_file = /etc/postfix/< your-private-key.pem> # path to your public cert smtpd_tls_cert_file = /etc/postfix/<your-public-cert.pem>
Enable additional info-header about using TLS and logging TLS sending and receiving activity:
# TLS logging # logentry for sending over TLS smtp_tls_loglevel = 1 # logentry for receiving over TLS smtpd_tls_loglevel = 1 # add a info-header line smtpd_tls_received_header = yes If you upgrade from a older version of postfix under debian it's possible you've the following lines in the main.cf:smtpd_tls_session_cache_database = btree:${spool_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${spool_directory}/smtp_scacheRemove this lines and use the defaults or change this to (see bugreport):
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scacheSetup your road-warrior.
http://www.postfix.org/postconf.5.html#smtp_tls_security_level
encrypt or fingerprint# Certificate fingerprint verification (Postfix ≥ 2.5).
# The CA-less `fingerprint` security level only scales to a limited
# number of destinations. As a global default rather than a per-site
# setting, this is practical when mail for all recipients is sent
# to a central mail hub.
relayhost = [mailhub.example.com]
# or
transport_maps = hash:/etc/postfix/transportsmtp_tls_security_level = fingerprint
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high# default is md5
smtp_tls_fingerprint_digest = sha1# get the fingerprint with openssl x509 -fingerprint -noout -sha1 -in server-cert.pem
smtp_tls_fingerprint_cert_match =
3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1prepend log like 'certificate verification failed'
smtp_tls_CAfile = /etc/postfix/CAcert.pemhttp://www.postfix.org/TLS_README.html
Disclaimer
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies, that could be damage your system. Proceed with caution, and although this is highly unlikely, the author do not take any responsibility. All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
