![\"\"](\"https:\/\/easy-admin.ca\/wp-content\/uploads\/2017\/02\/postfix-tls_84e8d1d8aa2cf19ac486db90f1c5e08b.png\")
<\/p>\nThis is an optional feature you don\u2019t need to do to get everything working but if you want a secure setup you should do this. TLS will allow you to setup an SSL encrypted connection between the server and the mail client. This means that the authentication that is used will be send encrypted over the internet while the normal authentication will be send in clear text over the internet making it possible for others to read.<\/p>\n
First you need to buy yourself a certificate at Thawte or Verisign, but as we are building a server on the cheap we are going to create our own certificate. The only problem you will encounter when using your own certificates is that users explicitly have to accept and verify your root certificate in contrast with certificates you buy which are already accepted in most email clients by default. If they for instance try to send their email for the first time via your secure server they need to accept your certificate. When using Mail.app in OS X they will get the following warning:<\/p>\n
<\/p>\n
They need to press continue and from then on your certificate will be accepted and they won\u2019t be asked again.<\/p>\n
Just open a Terminal and execute the following command in the directory This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. If you are paranoid and want a bigger key just increase the number after rsa:. The key will be valid for a year, if you want a longer period just increase the number after the -days option. When the key is finished you will be asked a couple of questions you need to answer. The information will be shown to people who want to see your certificate when their mail client complains. The most important one is the \u2018Common Name\u2019, make sure that that one is the same as the mail server name.<\/p>\n Now you have created the certificate you will have to configure Postfix to make use of it and to enforce the usage of TLS to securely communicate with the email client. You\u2019ll have to add the following lines to the configuration file Issue the command The server will answer with:<\/p>\n Then type in:<\/p>\n And again your server will answer it\u2019s capabilities:<\/p>\n Now it\u2019s time to test TLS and enter in capitals:<\/p>\n and the server should respond with:<\/p>\n Then you know it will work, you could give your favorite email client a try.<\/p>\n Restart postfix :<\/strong> systemctl restart postfix<\/p>\n NOTES:<\/strong><\/p>\n After this fix, roundcube cannot send email anymore, investigating this!<\/p>\n","protected":false},"excerpt":{"rendered":" This is an optional feature you don\u2019t need to do to get everything working but if you want a secure setup you should do this. TLS will allow you to setup an SSL encrypted connection between the server and the mail client. This means that the authentication that is used will be send encrypted over … Continue reading Configure PostFIX to use TLS – CentOS7<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"slim_seo":{"title":"Configure PostFIX to use TLS - CentOS7 - HP Server","description":"This is an optional feature you don\u2019t need to do to get everything working but if you want a secure setup you should do this. TLS will allow you to setup an SSL"},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1139","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1139"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1139\/revisions"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\/etc\/postfix<\/code>:<\/p>\nsudo openssl req -new -outform PEM -out smtpd.cert \\\r\n -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \\\r\n -days 365 -x509<\/pre>\n
Country Name (2 letter code) [CA]:\r\nState or Province Name (full name) [Some-State]:\r\nLocality Name (eg, city) []:\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:\r\nOrganizational Unit Name (eg, section) []:\r\nCommon Name (eg, YOUR name) []:your.mailserver.tld\r\nEmail Address []:you@yourdomain.tld<\/pre>\n
main.cf <\/code> in \/etc\/postfix <\/code>:<\/p>\nsmtpd_enforce_tls = no\r\nsmtpd_tls_loglevel = 1\r\nsmtpd_use_tls = yes\r\nsmtpd_tls_key_file = \/etc\/postfix\/smtpd.key\r\nsmtpd_tls_cert_file = \/etc\/postfix\/smtpd.cert<\/pre>\n
sudo postfix reload<\/code> to refresh the configuration of your mail server and your ready to test it out. Start a terminal session and issue the following commands:<\/p>\ntelnet your.mailserver.tld 25<\/pre>\n
Trying your.mailserver.tld...\r\nConnected to your.mailserver.tld.\r\nEscape character is ^]\r\n220 your.mailserver.tld ESMTP Postfix\r\n<\/pre>\n
EHLO your.mailserver.tld\r\n<\/pre>\n
250-your.mailserver.tld\r\n250-PIPELINING\r\n250-SIZE 10240000\r\n250-ETRN\r\n250-STARTTLS\r\n250 8BITMIME\r\n<\/pre>\n
STARTTLS\r\n<\/pre>\n
220 Ready to start TLS<\/pre>\n