postfix---tls

Discussion in 'Server Operation' started by hotchilli, Mar 9, 2006.

  1. hotchilli

    hotchilli New Member

    Is there a howto for adding TLS to postfix?

    hc:eek:
     
  2. falko

    falko Super Moderator Howtoforge Staff

    Which distribution do you use?
     
  3. hotchilli

    hotchilli New Member

    is there a HOWTO to add TLS to postfix

    unbuntu breezy badger 5-10
     
  4. falko

    falko Super Moderator Howtoforge Staff

  5. hotchilli

    hotchilli New Member

    tls howto add to postfix

    Many thanks for your post.

    If I only need TLS and not smtp-auth would that be ok and just install postfix-tls
    and what other packages and follow the howto from which line please.

    hotchili:)
     
  6. falko

    falko Super Moderator Howtoforge Staff

    I haven't tried without SMTP-AUTH yet. I think you should use SMTP-AUTH, or you will have an open relay for spammers...
     
  7. hotchilli

    hotchilli New Member

    postfix/TLS

    here is whay my main.cf look like now

    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    daemon_directory = /usr/lib/postfix
    inet_interfaces = all
    mail_owner = postfix
    mailbox_command = /usr/bin/procmail
    mailq_path = /usr/bin/mailq
    manpage_directory = /usr/man
    mydestination = $myhostname, localhost.$mydomain, $mydomain
    myhostname = xstation.abcd.net
    mynetworks = 192.168.1.0/24, 127.0.0.0/8
    mynetworks_style = host
    myorigin = /etc/mailname
    newaliases_path = /usr/bin/newaliases
    sendmail_path = /usr/sbin/sendmail
    setgid_group = postdrop
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    unknown_local_recipient_reject_code = 550



    what I want the TLS to look something like is this

    # TLS configuration
    smtpd_use_tls = yes
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_auth_only = yes
    smtpd_tls_key_file = /etc/postfix/tls/xstation_mail_req.pem
    smtpd_tls_cert_file = /etc/postfix/tls/xstation_mail_cert.pem
    smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandomK
     
  8. falko

    falko Super Moderator Howtoforge Staff

    It's all described on the page I posted:

    Code:
    mkdir /etc/postfix/ssl
    cd /etc/postfix/ssl/
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
    chmod 600 smtpd.key
    openssl req -new -key smtpd.key -out smtpd.csr
    openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
    openssl rsa -in smtpd.key -out smtpd.key.unencrypted
    mv -f smtpd.key.unencrypted smtpd.key
    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
    
    postconf -e 'smtpd_tls_auth_only = no'
    postconf -e 'smtp_use_tls = yes'
    postconf -e 'smtpd_use_tls = yes'
    postconf -e 'smtp_tls_note_starttls_offer = yes'
    postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
    postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
    postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
    postconf -e 'smtpd_tls_loglevel = 1'
    postconf -e 'smtpd_tls_received_header = yes'
    postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
    postconf -e 'tls_random_source = dev:/dev/urandom'
    postconf -e 'myhostname = server1.example.com' 
     
  9. hotchilli

    hotchilli New Member

    Postfix /tls

    Thanks for your reply.

    Now that I have installed postfix already and want to go ahead with
    your howto what should I do unistall postfix or just install the missing packages .

    hc:)
     
  10. hotchilli

    hotchilli New Member

    Postfix /tls

    If I want to specify the cipher DHE-RSA-AES256-SHA
    what would the command line look like:
    thanks

    HC:)
     
  11. falko

    falko Super Moderator Howtoforge Staff

    Install the missing packages.

    What exactly do you want to do?
     
  12. hotchilli

    hotchilli New Member

  13. falko

    falko Super Moderator Howtoforge Staff

    The creation of the TLs certificates is described in the tutorial I posted.
     
  14. hotchilli

    hotchilli New Member

    tls/postfix

    ok I am set to start just a few things to clear up first.

    a: in post 11 of this thread you said to install the missing packages
    this has been done. but when installing postfix-tls the print out
    was---Note, selecting postfix instead of postfix-tls
    postfix is already the newest version.------


    b: in post 8 of this thread you showed a print out --code ---etc is this where in the howto should I begin? bearing in mind I have postfix already configured--see post
    7 of this thread.


    hc:) :) :)


    c:
     
  15. falko

    falko Super Moderator Howtoforge Staff

    Because you already installed it when you did the Postfix configuration.


    Begin here: http://www.howtoforge.com/perfect_setup_ubuntu_5.10_p3 and leave out the Postfix configuration.
     
  16. hotchilli

    hotchilli New Member

    tls/postfix

    Thanks for your post.

    Please can you highlight the part of the howto whch should not be used.



    hc:)
     
  17. falko

    falko Super Moderator Howtoforge Staff

    Do not use the part you already did (the Postfix configuration). However, it doesn't cause problems if you do it again, so if you're in doubt, do the whole setup...
     
  18. hotchilli

    hotchilli New Member

    postfix/tls

    Thanks for your post Falko

    Since postfix is configured I will start here :

    http://www.howtoforge.com/perfect_setup_ubuntu_5.10_p4 as suggested
    in post 4 of this thread

    with the line: postconf -e 'smtpd_sasl_local_domain ='


    -----------------------------------------------------------

    In the line postconf -e 'smtpd_tls_auth_only = no'
    I will answer yes to this as this is a personal preference




    Hc:) :)
     
    Last edited: Mar 13, 2006
  19. falko

    falko Super Moderator Howtoforge Staff

Share This Page