Configuring TLS

See CentOS.org’s Postfix/dovecot SASL and SSL/TLS guide for reference.

We’ll need to start by generating some SSL certificates. I choose to use self-signed certificates. We’ll need to install genkey, which we’ll use to generate the keys.

[newuser@mail ~]$ sudo yum install crypto-utils
[newuser@mail ~]$ genkey --days 365 mail.example.com

The genkey process can be a time-consuming process, depending on the encryption level requested.

When prompted, do not encrypt your private key. Provide the details requested, making sure your Common Name (Fully Qualified Domain Name) is mail.example.com. When genkey finishes, it displays a message stating where the generated keys are stored (/etc/pki/tls/certs/mail.example.com.crt and /etc/pki/tls/private/mail.example.com.key). We’ll use these paths in configuring postfix.

We need to configure postfix to use TLS to encrypt the SASL connection.

[newuser@mail ~]$ sudo nano /etc/postfix/main.cf

and add the following at the end of the file:

# TLS Implementation
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/pki/tls/private/mail.example.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.example.com.crt
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes

Now, let’s reload postfix:

[newuser@mail ~]$ sudo systemctl reload postfix

Finally, let’s use the tool at http://mxtoolbox.com to check the health of our SMTP server. My check shows now that Reverse DNS matches the SMTP banner, and that my server supports TLS.

Let’s now configure DKIM.