daily system administration

Linux, Debian and the rest
any questions or comments: Tom@d7031.de

Postfix and TLS (outdated)

by Tom in  

After securing your mail-relaying between postfix as smarthost and postfix on a road-warrior, the next step to do is securing the transport way. E-Mail is clear text! Every (machine) can read it! Think about a open WLAN. The hotspot-provider can read your Mail!

I’ve tested this setup with Debian Etch and Lenny (Postfix 2.3.8-2+etch1 and .2.5.5-1.1).

First you need certificates. In this setup, these are used to encrypt the mail-transport NOT for authentication. So you need no official certified version. you can create self-signed certificates or use such services like CACert.org.

First set up your Postfix-smarthost.

Edit the /etc/postfix/main.cf

Add the followed lines: 

# sending over TLS/SSL
smtp_tls_security_level = may

Now every communication with other Mailservers which offer TLS are automatically encrypted (NOT authenticated like https). Every certificate instance are accepted, also self-singned.

To offer TLS to other MTA’s add this lines to your /etc/postfix/main.cf: 

# receiving over TLS/SSL
smtpd_tls_security_level = may

# Keys and Certs
# only needed to verify the certificate
smtpd_tls_CAfile = /etc/postfix/<your-CACert.pem>
# path to your private key (only root should have permissions on it)
smtpd_tls_key_file = /etc/postfix/< your-private-key.pem>
# path to your public cert
smtpd_tls_cert_file = /etc/postfix/<your-public-cert.pem>

Enable additional info-header about using TLS and logging TLS sending and receiving activity: 

# TLS logging
# logentry for sending over TLS
smtp_tls_loglevel = 1 
# logentry for receiving over TLS
smtpd_tls_loglevel = 1
# add a info-header line
smtpd_tls_received_header = yes


If you upgrade from a older version of postfix under debian it's possible you've the following lines in the main.cf:
smtpd_tls_session_cache_database = btree:${spool_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${spool_directory}/smtp_scache

Remove this lines and use the defaults or change this to (see bugreport): 

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Setup your road-warrior.

http://www.postfix.org/postconf.5.html#smtp_tls_security_level
encrypt or fingerprint

http://www.backports.org

# Certificate fingerprint verification (Postfix ≥ 2.5).
# The CA-less `fingerprint` security level only scales to a limited
# number of destinations. As a global default rather than a per-site
# setting, this is practical when mail for all recipients is sent
# to a central mail hub.
relayhost = [mailhub.example.com]
# or
transport_maps = hash:/etc/postfix/transport

smtp_tls_security_level = fingerprint
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high

# default is md5
smtp_tls_fingerprint_digest = sha1

# get the fingerprint with openssl x509 -fingerprint -noout -sha1 -in server-cert.pem
smtp_tls_fingerprint_cert_match =
3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35

http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

prepend log like ‘certificate verification failed’
smtp_tls_CAfile = /etc/postfix/CAcert.pem

http://www.postfix.org/TLS_README.html

Tom