Pages

Thursday, November 21, 2019

ssl tls installation for postfix mail server


** You can buy ssl (willcard ssl) for your domain and download files
tayabkhan_com.key
STAR_tayabkhan_com.crt
server.ca-bundle

#OR
#Generate private ssl key
openssl req -new -newkey rsa:2048 -nodes -out certreq.txt -keyout private.key

mkdir -p /etc/postfix/ssl

###### vi /etc/posfix/main.cf

# tls config
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_tls_key_file = /etc/postfix/ssl/tayabkhan_com.key
smtpd_tls_cert_file = /etc/postfix/ssl/STAR_tayabkhan_com.crt
smtpd_tls_CAfile = /etc/postfix/ssl/server.ca-bundle



##### vi /etc/postfix/master.cf
#smtp      inet  n       -       n       -       -       smtpd
## for 587 port
submission   inet  n       -       n       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
## for 465 port
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

# service postfix restart

##### vi /etc/dovecot/dovecot.conf
ssl = required
ssl_ca = </etc/pki/tls/certs/server.ca-bundle
ssl_cert = </etc/pki/tls/certs/STAR_tayabkhan_com.crt
ssl_key = </etc/pki/tls/private/tayabkhan_com.key
disable_plaintext_auth = yes


 /etc/dovecot/dovecot.conf has the following line:
  protocols = imap pop3 imaps pop3s



Edit the /etc/dovecot/conf.d/10-ssl.conf file in the following way:
ssl_disable = no

If  you save the certificate and private key in separate files:
  ssl_cert_file = </etc/ssl/certs/certificate.crt
  ssl_key_file = </etc/ssl/private/yourdomainname.key

 If  you save the certificate and private key in a single file:
  ssl_cert_file = </etc/ssl/certs/cert_and_key.crt
  ssl_key_file = </etc/ssl/certs/cert_and_key.crt