Securing `postfix` is an important part of managing an email server that is addressable on the Internet these days. One step in doing so is making sure that all connections use TLS. This hands-on lab will allow you to build a certificate chain and configure `postfix` to use that chain to encrypt data.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Generate the SSL Certificate
- We need to create the key and CSR (Certificate Signing Request). We’ll also need to work as the root user, so elevating now will save time.
sudo -i
openssl req -nodes -newkey rsa:2048 -keyout privatekey.key -out mail.csr
This will ask for a bunch of information. Since we’re doing a self-signed certificate, we don’t need to fill all of it out — accept the defaults. 2. Now we need to sign that request using the key we just generated.
openssl x509 -req -days 365 -in mail.csr -signkey privatekey.key -out secure.crt
3. Now we copy the key and certificate over to where postfix can use them.
cp {privatekey.key,secure.crt} /etc/postfix
- We need to create the key and CSR (Certificate Signing Request). We’ll also need to work as the root user, so elevating now will save time.
- Configure Postfix to use TLS
- Run:
vim /etc/postfix/main.cf
Insert these lines at the end:
smtpd_use_tls = yes smtpd_tls_cert_file = /etc/postfix/secure.crt smtpd_tls_key_file = /etc/postfix/privatekey.key smtp_tls_security_level = may
Restart postfix:
systemctl restart postfix
Test the configuration:
openssl s_client -connect localhost:25 -starttls smtp
Scroll back and look at the certificate information. If it matches what you put in, everything worked correctly!