Configuring TLS
See CentOS.org’s Postfix/dovecot SASL and SSL/TLS guide for reference.
We’ll need to start by generating some SSL certificates. I choose to use self-signed certificates. We’ll need to install genkey, which we’ll use to generate the keys.
[newuser@mail ~]$ sudo yum install crypto-utils [newuser@mail ~]$ genkey --days 365 mail.example.com
The genkey process can be a time-consuming process, depending on the encryption level requested.
When prompted, do not encrypt your private key. Provide the details requested, making sure your Common Name (Fully Qualified Domain Name) is mail.example.com. When genkey finishes, it displays a message stating where the generated keys are stored (/etc/pki/tls/certs/mail.example.com.crt and /etc/pki/tls/private/mail.example.com.key). We’ll use these paths in configuring postfix.
We need to configure postfix to use TLS to encrypt the SASL connection.
[newuser@mail ~]$ sudo nano /etc/postfix/main.cf
and add the following at the end of the file:
# TLS Implementation smtpd_tls_security_level = may smtpd_tls_key_file = /etc/pki/tls/private/mail.example.com.key smtpd_tls_cert_file = /etc/pki/tls/certs/mail.example.com.crt smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache tls_random_source = dev:/dev/urandom smtpd_tls_auth_only = yes
Now, let’s reload postfix:
[newuser@mail ~]$ sudo systemctl reload postfix
Finally, let’s use the tool at http://mxtoolbox.com to check the health of our SMTP server. My check shows now that Reverse DNS matches the SMTP banner, and that my server supports TLS.
Let’s now configure DKIM.
I use Exim as mail server and I installed opendkim using the instructions at
https://www.rosehosting.com/blog/how-to-install-and-configure-dkim-with-opendkim-and-exim-on-a-centos-7-vps/
Awesome! To be perfectly honest, i went with postfix because it’s been the default I’ve seen installed with Virtualmin. Why did you choose to go with exim?