1

I have been tasked with implementing TLS on a Postfix email relay server for an international office.

I am aware that I need to modify '/etc/postfix/main.cf' to setup TLS. We have another email relay server in the US that is setup with TLS and has the following TLS config:

# TLS parameters 'mail.company-name.com'
smtpd_tls_cert_file=/etc/ssl/certs/company-name.com.pem
smtpd_tls_key_file=/etc/ssl/private/company-name.com.key
smtpd_use_tls=yes
smtp_tls_loglevel=5
smtpd_tls_security_level=may
smtp_tls_note_starttls_offer=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

I can implement this configuration on my international office's Postfix server, so I am just wondering if all I have left to do is generate a certificate for 'mail.company-name.in' similar to the certificate that is referenced in the following lines:

smtpd_tls_cert_file=/etc/ssl/certs/company-name.com.pem
smtpd_tls_key_file=/etc/ssl/private/company-name.com.key

The new configuration would be as follows:

# TLS parameters 'mail.company-name.in'
smtpd_tls_cert_file=/etc/ssl/certs/company-name.in.pem
smtpd_tls_key_file=/etc/ssl/private/company-name.in.key
smtpd_use_tls=yes
smtp_tls_loglevel=5
smtpd_tls_security_level=may
smtp_tls_note_starttls_offer=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Am I missing anything else that you may have noticed? Any advice will be appreciated.

Please let me know if you have any questions and I will be happy to clarify.

Thank you for your help!

MotoDave452
  • 257
  • 6
  • 16
  • Do I just need to generate a CSR on the email relay server in question, and have an SSL certificate generated by a certificate-vendor that I then place in the appropriate directory? – MotoDave452 Aug 11 '17 at 14:54
  • Possible duplicate of [How do you buy an SSL Certificate?](https://serverfault.com/questions/104215/how-do-you-buy-an-ssl-certificate) – Jenny D Aug 11 '17 at 15:43
  • Thank you for your response @JennyD. I guess I should have worded my question a little differently. I know how to generate a CSR and obtain a certificate from a CA. I guess I was more or less making sure that all I had left to do to enable TLS was to obtain a certificate for 'mail.company-name.in'. And that the above TLS configuration looked correct in /etc/postfix/main.cf. I appreciate the assistance. Not sure why the downvote. – MotoDave452 Aug 11 '17 at 16:13
  • Edited the question to detail more precisely what I was asking. – MotoDave452 Aug 11 '17 at 16:18
  • @JennyD It's not about buying the certificate, it's about the configuration. But still not very clear. – sebix Aug 11 '17 at 18:22
  • If buying a cert is not feasible, then https://letsencrypt.org may be a temporary solution. – peterh Aug 12 '17 at 00:42
  • @peterh Getting the certificate is not the question here. – sebix Aug 12 '17 at 08:30

1 Answers1

3

I assume here that you do not already have a signed certificate for your domain, otherwise your question would be pointless.

If you want a certificate signed by a CA you need to go to a CA and give them your CSR, then you get a certificate. Which CA you chose is irrelevant, as long as your client's devices trust it.

To generate the CSR see you can use openssl:

openssl req -new -newkey rsa:4096 -nodes -out company-name.com.csr -keyout company-name.com.key

You need to answer a few questions, but except for the Common Name they are all irrelevant.

See also for example How do you buy an SSL Certificate? and a lot of other questions here.

EDIT:

smtpd_tls_cert_file=/etc/ssl/certs/company-name.com.pem
smtpd_tls_key_file=/etc/ssl/private/company-name.com.key

These lines define which certificate and key file to use for TLS sessions. If you want that clients can verify the validity, you need to provide the certificate chain with smtpd_tls_CAfile.

smtpd_use_tls=yes
smtp_tls_note_starttls_offer=yes

This enables opportunistic encryption. I.e. when a SMTP client connects, delivering a mail to your server / it delivers mail to another SMTP server, it announces that STARTTLS is available.

smtp_tls_loglevel=5

Useful for debugging. Note that the docs do not recommend anything higher than 2 and 5 is not defined at all. 1 is reasonable.

smtpd_tls_security_level=may

Enables opportunistic encryption, but does not require it. You may want to set it to encrypt for submission.

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Needed for session tickets and recommended.

You want to have a look at the BetterCrypto.org's guide Applied Crypto Hardening, it contains a full example for Postfix.

sebix
  • 4,175
  • 2
  • 25
  • 45
  • Thank you for your response. I guess I should have worded my question a little differently. I know how to generate a CSR and obtain a certificate from a CA. I guess I was more or less making sure that all I had left to do to enable TLS was to obtain a certificate for 'mail.company-name.in'. And that the above TLS configuration looked correct in /etc/postfix/main.cf. I appreciate the assistance. Not sure why the downvote. – MotoDave452 Aug 11 '17 at 16:12
  • Edited the question to detail more precisely what I was asking. Thanks again for the above CSR command. – MotoDave452 Aug 11 '17 at 16:17
  • 1
    "And that the above TLS configuration looked correct in /etc/postfix/main.cf. I appreciate the assistance." I extended the answer on this. – sebix Aug 11 '17 at 18:23
  • Thank you very much for the detailed response! This is exactly what I was looking for. – MotoDave452 Aug 11 '17 at 19:21