StartTLS
- install
- main.cf
- Other options
- Selective TLS
install
for sarge:
# apt-get install postfix-tls ca-certificates
# wget http://www.cacert.org/certs/root.crt --output-document /etc/ssl/certs/ca-cert.pem
for etch or later:
> apt-get install postfix ca-certificates
For sarge, the package postfix-tls is an alternate build of postfix which supports tls. In etch, tls is included in the standard build. The package ca-certificates is a whole bunch of certificate authority root certificates, including CACert.org's root cert (since etch, not included in sarge. if you are running sarge, download from cacert.org). The root certificates are stored in /etc/ssl/certs.
Detailed help on TLS can be found at www.postfix.org/TLS_README.html.
main.cf
in /etc/postfix/main.cf:
# common TLS parameters
tls_dir = $config_directory/tls
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
# Client side TLS
smtp_use_tls = yes
smtp_tls_key_file = /etc/certs/{domain}/key.pem
smtp_tls_cert_file = /etc/certs/{domain}/cert.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = sdbm:/var/postfix/smtp_scache
smtp_tls_loglevel = 1
# Server side TLS
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/certs/{domain}/key.pem
smtpd_tls_cert_file = /etc/certs/{domain}/cert.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = sdbm:/var/postfix/smtpd_scache
then:
# mkdir /var/postfix
The client side configurations control what postfix does when receiving mail and the server side when sending mail. If you wanted, you could limit postfix to only verify certs from a particular CA, such as one you would create yourself. In this case, you would use CAfile instead of CApath.
Run "postconf | grep tls" to see all the options available.
Other options
Other options which might be useful:
smtpd_tls_CAfile = /etc/certs/ca-bundle.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_CAfile = /etc/certs/ca-bundle.cert
Selective TLS
You can enforce or disable TLS for certain hosts by using creating a map (ie hash, database, regexp, etc) and setting it using the smtp_tls_per_site option.
For example:
# mkdir /etc/postfix/tls
# touch /etc/postfix/tls/tls_per_site
# nano /etc/postfix/tls/tls_per_site
# postmap /etc/postfix/tls/tls_per_site
in main.cf:
smtp_tls_per_site = hash:$tls_dir/tls_per_site
You can also force TLS for all hosts using smtpd_enforce_tls or smtp_enforce_tls although this will make it so that you can't receive mail from mostb�dil servers.
|
