Configuring TLS

See CentOS.org’s Postfix/dovecot SASL and SSL/TLS guide for reference.

We’ll need to start by generating some SSL certificates. I choose to use self-signed certificates. We’ll need to install genkey, which we’ll use to generate the keys.
[code language=”bash” gutter=”0″ title=”Install crypto-utils package”]
[newuser@mail ~]$ sudo yum install crypto-utils
[newuser@mail ~]$ genkey –days 365 mail.example.com
[/code]

The genkey process can be a time-consuming process, depending on the encryption level requested.

When prompted, do not encrypt your private key. Provide the details requested, making sure your Common Name (Fully Qualified Domain Name) is mail.example.com. When genkey finishes, it displays a message stating where the generated keys are stored (/etc/pki/tls/certs/mail.example.com.crt and /etc/pki/tls/private/mail.example.com.key). We’ll use these paths in configuring postfix.

We need to configure postfix to use TLS to encrypt the SASL connection.
[code language=”bash” gutter=”0″ title=”Configure postfix for TLS”]
[newuser@mail ~]$ sudo nano /etc/postfix/main.cf
[/code]

and add the following at the end of the file:
[code language=”bash” gutter=”0″ title=”/etc/postfix/main.cf additions”]
# TLS Implementation
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/pki/tls/private/mail.example.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.example.com.crt
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes
[/code]

Now, let’s reload postfix:
[code language=”bash” gutter=”0″ title=”Reload postfix settings”]
[newuser@mail ~]$ sudo systemctl reload postfix
[/code]

Finally, let’s use the tool at http://mxtoolbox.com to check the health of our SMTP server. My check shows now that Reverse DNS matches the SMTP banner, and that my server supports TLS.

Let’s now configure DKIM.