Setting up Postfix TLS with Let’s Encrypt
Posted 12 February, 2016
I’m not an expert in configuring mail servers. In fact I have never setup a dedicated mail server and there are no “simple”, complete, updated online tutorials. Most articles are ending with : if you don’t know how to do it, don’t touch it, cause you will be in blacklist/spam before you can say ‘Baboon bamboo’ five times.
A little encrypted Postfix mouse ?
They are most likely true, so I don’t want to have a mail server, but my server is sending mails isn’t it ? When people comment or respond I get mail and in return -I hope- when I respond people also get notified by this, through mail… this magically works and I believe its postfix’s doing. Now recently I get mails that are coming from a non encrypted mail server… bummer right ? Well Gmail, (Google, Alphabet) recently started marking these kind of mails with a red unlocked-lock, kinda the opposite of the green lock in-front of https. (see the url of svennd.be)
For example :
While this is nothing to worry about yet the fact that google wants us to start encrypting the connection between ‘mail’ servers, its only a matter of time before they will force you to encrypt this. I don’t think its that crazy, so I searched the web for a solution. I have found bits all over, but nothing straightforward, hence I will share my method, while my method might not be required or optimal, you get fancy nice encryption support on mail connections such as : (no green padlock sadly)
now the mail was send using encryption (TLS)
Changes to postfix/main.cf
The file you are looking for is /etc/postfix/main.cf, I changed quite some values, not all of them might be required.
These I entered / changed :
myhostname = svennd.be mydomain = svennd.be myorigin = $mydomain
I added these values :
# logging smtpd_tls_loglevel = 1 # Allow use of TLS but make it optional smtp_use_tls=yes # Disable SSLv2/3 as they are vulnerable smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 # Insist on stronger ciphers smtpd_tls_ciphers = high smtp_tls_ciphers = high # keys smtp_tls_cert_file = /etc/letsencrypt/live/svennd.be/fullchain.pem smtp_tls_key_file = /etc/letsencrypt/live/svennd.be/privkey.pem
In case you don’t have SSL yet, its free using Let’s Encrypt, and I even have a tutorial up here for Centos 6.X! Now SMTP is the tool that is used to send mails, SMTPD is the part to receive mails. So in my case I only need the SMTP configuration. After these changes you can restart the service :
service postfix restart
Now you might wanne test this, for this purpose you can just use sendmail which is included in Centos, and probably in most distro’s as part of postfix.
sendmail [email protected] From: [email protected] Subject : test mail this is my test mail with no real content .
note : the single dot is “end of mail”; after that enter and wait a few seconds (its being send)
Conclusion
The next person who says mails are just text files send around… ow boy… anyways, setting up a mailserver remains a illusive part of the sysadmin task for me. However encrypting the server to server connection seems to work, thanks to the SSL certificates of Let’s Encrypt.
Reference
- Excellent read configuring postfix SMTP.
If you enjoyed this article, please consider buying me a Dr Pepper.
Fuel the beast!
Buy me a Dr Pepper
Thank you Svenn.
Your solution works perfectly 🙂
14 April, 2016 at 23:39Thank you … very helpful
16 June, 2016 at 11:42Bingo 🙂
17 August, 2016 at 22:33thanks a lot it worked perfectly on debain 7 with letsencrypt
28 August, 2016 at 18:32Thank you so much!!! This works perfectly
17 October, 2016 at 15:16This might be helpful for people like me who recently started learning Postfix:
If you want to eliminate the “red padlock” icon in Gmail, you do not need to get a certificate. Mail servers like Gmail don’t require you to have a certificate (aka client certificate) to connect to them over a secure TLS connection, and subsequently send mail to them (however, things like SPF TXT records and DKIM are needed to avoid Gmail marking your mail as spam).
To send mail to Gmail (and others) with TLS and get rid of the “red padlock”, you only need:
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
“smtp_*” are the parameters for the Postfix SMTP Client (the code that talks to public Internet mail servers like Gmail’s mail servers). The “smtpd_*” parameters are for the Postfix SMTP Server (the code that your users connect to when they need to send email to Gmail or some other public Internet mail server).
Make sure ca-certificates.txt exists in postfix’s chroot “jail” (on my ubuntu server it was: /var/spool/postfix/etc/ssl/certs/ca-certificates.crt). This is a database of certs of well-known CAs that your postfix server needs to know when it connects to Gmail (or other mail server). When your postfix server connects to Gmail, Gmail will present to postfix *Gmail’s server cert*, and that server cert will be signed by one of these well-known CAs.
I’m running postfix 2.11.0 on ubuntu 14.04.
You may configure smtp_tls_ciphers and smtp_tls_protocols, but the defaults are OK and recommended. The default for smtp_tls_ciphers is ‘medium’. If you do ‘high’, there’s a (small) chance some of your mail won’t reach destinations that don’t support the strongest ciphers. The default for smtp_tls_protocols is ‘!SSLv2, !SSLv3’, as you suggested.
You wrote very helpful articles about how to use LetsEncrypt. Such certs are needed when *your* remote users (email clients) need to connect to your postfix server over a secure TLS connection.
Thanks!
27 November, 2016 at 02:34Thanks, this is really helpfull. I really should read more into postfix, so thanks for the addition. You have an excellent post on you’re blog, so I added it, as reference. Regards!
27 November, 2016 at 19:56I’ve been looking for a concise answer like this for a year now. Tried it and it worked perfectly, thanks so much!!
30 June, 2017 at 01:39Hi! I’ve got let’s encrypt running on my server through Plesk (and the Security Advisor add-on). However not for mail yet. Right now I’m having this issue that when I add an email address to an email client like Mail, it will tell me the server certificate is not trusted, and I have to tell my iPhone for example to trust that certificate. Does this tutorial also solve that issue?
Cheers!
13 January, 2017 at 11:15Hey LIV,
This “tutorial” helps mail servers to talk over an “encrypted line”. However, your Iphone should trust your website (if that does not work, then your certificate isn’t setup right). If you run using a webhoster, you should contact them to help you get setup about mail. If you run your own webserver (using DO, AWS, …) then this is the guide you could use 😉
Goodluck !
13 January, 2017 at 14:08Excellent wite up Svenn.
24 January, 2017 at 10:25Thank you, it worked right away.
7 February, 2018 at 19:31don’t forget to reload postfix after updating the certificate
16 August, 2018 at 16:51Ah, Yes thanks for the addition!
16 August, 2018 at 16:51