daily system administration

Linux, Debian and the rest
any questions or comments: Tom@d7031.de

Postfix and TLS (outdated)

After securing your mail-relaying between postfix as smarthost and postfix on a road-warrior, the next step to do is securing the transport way. E-Mail is clear text! Every (machine) can read it! Think about a open WLAN. The hotspot-provider can read your Mail!

I’ve tested this setup with Debian Etch and Lenny (Postfix 2.3.8-2+etch1 and .2.5.5-1.1).

First you need certificates. In this setup, these are used to encrypt the mail-transport NOT for authentication. So you need no official certified version. you can create self-signed certificates or use such services like CACert.org.

First set up your Postfix-smarthost.

Edit the /etc/postfix/main.cf

Add the followed lines:

# sending over TLS/SSL
smtp_tls_security_level = may

Now every communication with other Mailservers which offer TLS are automatically encrypted (NOT authenticated like https). Every certificate instance are accepted, also self-singned.

To offer TLS to other MTA’s add this lines to your /etc/postfix/main.cf:

# receiving over TLS/SSL
smtpd_tls_security_level = may

# Keys and Certs
# only needed to verify the certificate
smtpd_tls_CAfile = /etc/postfix/<your-CACert.pem>
# path to your private key (only root should have permissions on it)
smtpd_tls_key_file = /etc/postfix/< your-private-key.pem>
# path to your public cert
smtpd_tls_cert_file = /etc/postfix/<your-public-cert.pem>

Enable additional info-header about using TLS and logging TLS sending and receiving activity:

# TLS logging
# logentry for sending over TLS
smtp_tls_loglevel = 1 
# logentry for receiving over TLS
smtpd_tls_loglevel = 1
# add a info-header line
smtpd_tls_received_header = yes

If you upgrade from a older version of postfix under debian it's possible you've the following lines in the main.cf:
smtpd_tls_session_cache_database = btree:${spool_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${spool_directory}/smtp_scache

Remove this lines and use the defaults or change this to (see bugreport):

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Setup your road-warrior.

encrypt or fingerprint


# Certificate fingerprint verification (Postfix ≥ 2.5).
# The CA-less `fingerprint` security level only scales to a limited
# number of destinations. As a global default rather than a per-site
# setting, this is practical when mail for all recipients is sent
# to a central mail hub.
relayhost = [mailhub.example.com]
# or
transport_maps = hash:/etc/postfix/transport

smtp_tls_security_level = fingerprint
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high

# default is md5
smtp_tls_fingerprint_digest = sha1

# get the fingerprint with openssl x509 -fingerprint -noout -sha1 -in server-cert.pem
smtp_tls_fingerprint_cert_match =


smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

prepend log like ‘certificate verification failed’
smtp_tls_CAfile = /etc/postfix/CAcert.pem