Most internet technologies are inherently insecure. For example, transmitting your data and even login credentials between your computer and servers in plain text can be compromising. This is because most of the technologies were designed before the internet even existed. They were used on smaller independent networks where both the network and the systems could be trusted by other users. Secure Sockets Layer (SSL) came about as an attempt to provide a mechanism for securing network communications between an application and a server that could be used by existing applications without them needing to handle their own encryption and security systems. But the question is, how can SSL help you?
What is an SSL?
Originally developed at Netscape, the technology’s descendent Transport Layer Security (TLS) is in common use today. Many people now refer to it as SSL, especially as many SSL libraries such as OpenSSL and LibreSSL carry out the TLS functions.
Most people are familiar with using SSL with web servers and configuring HTTPS for secure connections. Many applications can use SSL to encrypt their connections, and email systems are no different.
This time we’ll look at how we can secure your Postfix mail server using SSL.
Take note that from this point forward we will be assuming that you are configuring on a dedicated server or VPS that is already Postfix configured and working.
If you like this post, check out another from Hayden and our terrific tech support team.
You will need to get OpenSSL installing on the server before you can proceed. This can easily be done by using the commands below. For Debian/Ubuntu systems, use the following commands:
sudo apt-get update
sudo apt-get install openssl
For CentOS/RedHat users, you can use this command:
sudo yum install openssl
First, you will need an SSL Certificate. If you already have an SSL installed on the server’s hostname (i.e. server.example.com), this can be utilized for Postfix mail server secure connections. Just make sure you configure your mail client to connect to the server’s hostname and no further certificates are required.
If you are using a different domain name (i.e. www.example.com for the website and mail.example.com for the mail server), then you’ll need to generate a new certificate.
To make things easier to track we’ll keep the SSL certificate in its own directory, so we’ll create that with the following command:
sudo mkdir /etc/postfix/ssl
Now we’ll create the CSR needed to create the SSL certificate:
sudo cd /etc/postfix/ssl
sudo openssl req -nodes -newkey rsa:2048 -keyout mail.example.com.key -out mail.example.com.csr
Note that in the line above, change “mail.example.com” to be the domain you have configured for your mail server.
The name doesn’t need to be identical, but it helps you keep track of your certificates by matching the domain that the certificates are for.
Once this task is done, you can then apply for an SSL certificate with your chosen provider. And once you have retrieved your certificate, you can save it in the same directory on the server.
From here we’ll assume you’ve saved your certificate with the same name, so mail.example.com.crt. Also put any intermediate certificate files that came with your bundle in that directory.
Next we need to configure Postfix to use this SSL certificate.
This is done by editing the /etc/postfix/main.cf file and setting the TLS parameters. In the standard main.cf file that comes with Debian/Ubuntu this section already exists and will need adjusting to match the below.
On CentOS/RedHat systems you’ll need to add these directives to the main.cf file:
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/mail.example.com.key
smtpd_tls_cert_file = /etc/postfix/ssl/mail.example.com.crt
smtpd_tls_CAfile = /etc/postfix/ssl/caroot.crt
smtpd_tls_loglevel = 1
As before, change mail.example.com to match your domain name that you are using on the server.
Also, you will need to change caroot.crt to match the certificate authority’s root filename that is issued in your certificate bundle. With these changes made, save and exit the file.
You can now reload the Postfix config to begin using it.
sudo service postfix reload
Postfix should now support incoming connections using SSL, meaning that your emails should now be encrypted and secure during transmission to your client.
Never miss another post. Sign up for the weekly 100TB newsletter.
To follow Hayden’s next technical topic, and who wouldn’t want ‘must-have’ information dropping into your inbox, sign up for our weekly newsletter below.
Originally published at blog.100tb.com.
