Configuring and Installing SSL Certificate on Postfix
Postfix is a popular open-source Mail Transfer Agent (MTA) that is widely used to route and deliver emails. However, the default Postfix installation uses unencrypted connections which exposes the emails to eavesdropping and tampering. Installing an SSL Certificate on Postfix allows it to establish encrypted SMTP connections using the TLS protocol. This prevents unauthorized access to transmitted emails. This comprehensive guide will walk you through the entire process of securing Postfix with SSL by showing you how to Install an SSL Certificate on Postfix in a step-by-step manner. It is fast, easy to administer and secure. However, you need to Install an SSL Certificate on Postfix to enable encryption. This prevents eavesdropping and tampering. Follow this guide to Install an SSL Certificate on Postfix and secure your Postfix email server.
Prerequisites Before Installing SSL Certificate on Postfix
- A domain name pointing to the IP address of your Postfix server.
- Administrative access to the Postfix server.
- Root or sudo privileges on the Postfix server.
A Step-by-Step Guide to Install SSL Certificate on Postfix
Installing SSL certificate on Postfix involves a few key steps:
Step 1 – Generate a CSR using OpenSSL
The first step is to generate a Certificate Signing Request (CSR) for your domain. The CSR contains information about your server and is submitted to the Certificate Authority (CA) to obtain an SSL certificate.
Here are the commands to generate a CSR using OpenSSL:
# Create the key and certificate request
openssl req -new -nodes -newkey rsa:2048 -keyout /etc/postfix/key.pem -out /etc/postfix/req.pem
# Follow the prompts to enter details about your organization
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: mail.yourdomain.com
Email Address []: admin@yourdomain.com
# Verify the CSR contents
openssl req -text -noout -in /etc/postfix/req.pem
The Common Name should match your domain name that will use the SSL certificate. Specify your organization details carefully as you will not be able to modify the CSR once generated.
The CSR and private key will be generated in the /etc/postfix directory.
Step 2 – Purchase an SSL Certificate
Next, you need to purchase an SSL certificate for your domain from a trusted Certificate Authority such as Comodo, Digicert, Secdigi etc.
While purchasing the certificate, you need to provide the CSR generated in the previous step.
You can typically choose between these types of SSL certificates:
- Single domain – Secures only a single main domain like mail.yourdomain.com.
- Wildcard – Secures unlimited subdomains like *.yourdomain.com.
- Multi-domain/SAN – Secures multiple domains in a single certificate.
For securing Postfix, a single domain certificate is sufficient in most cases.
Once the purchase process is complete, the CA will email you the SSL certificate files including:
- Certificate (CERT) – Contains your domain details and the CA’s signature.
- Private Key – The key file you had generated along with the CSR.
- Intermediate certificate – Chain of trust certificate signed by the Root CA.
Download these certificate files and copy them to the /etc/postfix directory on your server.
Step 3 – Install the SSL Certificate
Now we are ready to install the SSL certificate on the Postfix server.
Follow these steps to complete the installation:
3.1 Merge certificate files
The certificate from CA contains only your domain certificate. We need to append the intermediate certificate to establish trust with root certificates.
Run these commands to merge both certificates into a single file:
# Merge certificate and key in a pem file
cat /etc/postfix/cert.pem /etc/postfix/intermediate.pem > /etc/postfix/combined.pem
# Merge the key into the same combined.pem file
cat /etc/postfix/key.pem >> /etc/postfix/combined.pem
This will generate a combined combined.pem file containing your domain certificate, intermediate certificate, and private key.
3.2 Configure Postfix
Next, open the Postfix main configuration file:
nano /etc/postfix/main.cf
Add/modify the following parameters:
# Enables both TLS encryption and opportunistic TLS smtpd_tls_security_level = may smtp_tls_security_level = may # Points to the SSL certificate file smtpd_tls_cert_file = /etc/postfix/combined.pem # Points to private key file smtpd_tls_key_file = /etc/postfix/combined.pem # Additional security settings smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom # Ciphers and protocols smtpd_tls_mandatory_ciphers = high smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL smtp_tls_mandatory_ciphers = high smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
- Save and exit the file once done.
Restart Postfix
The final step is to restart Postfix to load the new SSL configuration:
systemctl restart postfix
That’s it! Our Postfix server is now configured to use SSL/TLS encryption for secure email delivery.
Step 4 – Verify TLS Connection
Let’s confirm that TLS is working correctly on Postfix.
- Use OpenSSL’s s_client utility to test the TLS connection:
openssl s_client -connect mail.yourdomain.com:465 -starttls smtp
If TLS has been enabled properly, you will see output like this:
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
Step 5 – Troubleshooting Issues
In some cases, you may run into errors while testing the TLS connection with OpenSSL. Here are some common issues and how to fix them:
Certificate verification failed
If you see the error verify error:num=20:unable to get local issuer certificate, it means the root and intermediate certificates are missing from the server.
To fix this, append the root and intermediate certificates from the CA to the combined.pem file:
cat intermediate.pem root.pem >> /etc/postfix/combined.pem
Then restart Postfix.
SMTP host rejected TLS connection
If the OpenSSL test shows SMTP error: TLS connect attempt failed, Postfix is refusing the TLS handshake.
Some things you can check in main.cf config:
- Verify the filename paths to cert, key and CA bundle files are correct.
- Ensure smtpd_tls_security_level is not set to encrypt which forces mandatory encryption.
- Check firewall rules to allow TCP port 465 and 587 connections.
Connection timed out
A timeout usually indicates a network firewall blocking the TLS SMTP port connections.
Make sure to open the ports 465 and 587 on the server firewall or security groups if running on a cloud server.
Also check that your network or ISP is not blocking outbound SMTP connections on those ports.
Certificate common name mismatch
Another potential error is certificate common name doesn’t match the requested host name.
This means the common name in the SSL certificate does not match the domain name you are trying to secure.
To fix it, re-issue a new certificate with the correct common name matching the domain name of your Postfix server.
Step 6 – Forcing TLS Encryption
In the current configuration, TLS encryption is opportunistic. The client and server will use TLS if both support it, otherwise fall back to unencrypted connections.
To mandate TLS and reject unencrypted connections, set the parameters:
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt
This will ensure maximum security by forcing encryptions for all connections. However, email clients that do not have TLS capability will be unable to deliver mail.
So only set it if you want to make TLS encryption mandatory without fallback.
Conclusion on Install SSL Certificate on Postfix Server
Securing email traffic with SSL is an important step for protecting sensitive data and authenticating a Postfix server. This guide provided a detailed step-by-step approach to install an SSL certificate on Postfix. It covered generating a certificate signing request, obtaining certificates from a CA, configuring Postfix’s main.cf file, and reloading the service. Common FAQs addressed topics like the benefits of SSL, certificate types, installation behind proxies and troubleshooting errors. Following these best practices ensures Postfix uses certificates properly to encrypt SMTP traffic on port 465, preventing snooping, spoofing, and authenticating the server for clients. Proper SSL implementation is key to securing a Postfix mail server.
Frequently Asked Questions about Install SSL Certificate on Postfix
What is Postfix and why should I use it?
Postfix is a free and open-source mail transfer agent (MTA) used for sending and receiving emails. It is popular for its security, stability, and scalability. Postfix is commonly used on Linux servers to route and deliver email securely.
What are the main benefits of using SSL on Postfix?
The main benefits of using SSL on Postfix include encrypting email traffic to prevent snooping and man-in-the-middle attacks, authenticating the Postfix server and proving its identity to clients, and allowing clients to send emails to Postfix securely over port 465 (SMTPS).
How do I generate a Certificate Signing Request (CSR) for Postfix?
To generate a CSR for Postfix, you need to use the OpenSSL toolkit. The basic commands are openssl req -new -newkey rsa:2048 -nodes -keyout YOURSERVER.key -out YOURSERVER.csr. This creates a private key and CSR file that can then be signed by a CA.
What type of SSL certificate is best for Postfix – domain validated (DV), organization validated (OV), or extended validation (EV)?
A DV SSL certificate is sufficient security-wise for encrypting Postfix email traffic. OV or EV certificates provide extra levels of validation but aren’t necessary for Postfix alone. A low-cost DV certificate from a reputed CA like Let’s Encrypt or Comodo is recommended.
How do I configure Postfix to use the SSL certificate after installation?
After installing the SSL certificate files, you need to edit Postfix main.cf configuration file and set smtpd_tls_cert_file, smtpd_tls_key_file and related settings. Then run the command “postfix reload” to load the new configuration. Postfix will now use SSL on port 465 (SMTPS) by default.
My Postfix server is behind a reverse proxy. How do I install the SSL certificate?
If Postfix is behind a proxy server, you need to install the SSL certificate on the proxy, not Postfix directly. The proxy will terminate the SSL and send unencrypted traffic to Postfix. Configure the proxy to pass the client certificate information to Postfix. This allows proving the client identity without Postfix handling SSL.
I’m getting an error “SSL_accept failed”. How can I troubleshoot it?
Common causes of the “SSL_accept failed” error are an invalid certificate/key format or mismatch, certificate expiration, revoked/untrusted certificate, SMTPS port not being accessible, and Postfix misconfiguration. Check the certificate and key files, validity dates, firewall rules, and Postfix main.cf settings to resolve the issue. Enabling debug logging can also help troubleshoot.
