msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

26 Mar 12 Using TLS for mail delivery from postfix to another TLS activated mail server

Introduction:

The default encryption method for delivering email from Postfix to another mail server is ‘NONE’

In certain cases for enhanced security reasons emails for certain destinations should be encrypted all the way:

Meaning:

Client 1 ==(TLS)==> Postfix Server ==TLS==> Other email Server ==SSL/TLS==> Client 2

In this case we cannot influence the way the Client 2 will pic-up his email but we assume that it will be via POP/IMAP SSL.

Here I will not mention the configuration of Postfix regarding the connection of

Client 1 ==(TLS)== Postfix Server

I will concentrate on the configuration of Postfix for the connection Postfix Server ==TLS==>> Other email Server

Methods

There are 2 ways to do this:

1) MAY:(opportunistic) If you want to loosely use the delivery of emails using TLS only IF available otherwise in clear text if not available.

2) ENCRYPT:(Force) If you want to FORCE the use of TLS for the delivery of the email to another server.

Postfix configuration for MAY:(opportunistic)

For this method there are 2 possibilities:

Use TLS for delivery of ALL emails if available

/etc/postfix/main.cf:

smtp_tls_security_level = may

Use TLS for delivery of specific destinations if TLS is available.

/etc/postfix/main.cf:
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

/etc/postfix/tls_policy:
example.com may
.example.com may

Hash the content of /etc/postfix/tls_policy:
cd /etc/postfix
postmap tls_policy

Reload Postfix:
/etc/init.d/postfix reload

Sender Side Postfix configuration for ENCRYPT:(Force)

This method forces delivery of emails using TLS only to specific destinations.
NOTE: It is absolutely not recommended to use this method as default delivery method to the world,
since most email servers do not support TLS and some who do are also sometimes broken.
Therefore we need to specify the specific destinations to which email will be sent using ‘force TLS’ delivery.
In this example below all emails to destination ‘example.com’ and its sub-domains will force the use of TLS encryption for mail delivery.
The delivery will fail if the destination server doesn’t support TLS.
If the destination server has an invalid(name doesn’t match) or expired certificate, the emails will be delivered anyway using TLS encryption.
The validity and expiration are only for authentication which is not used here.
This configuration will only work if the delivery program for Postfix is SMTP.
If you are using ‘deliver’ from dovecot or any other program, then you will need to look for the proper equivalent settings of Postfix.

Use forcing Postfix to use TLS for mail delivery:

In /etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com encrypt
.example.com encrypt

Hash the content of /etc/postfix/tls_policy:
cd /etc/postfix
postmap tls_policy

Reload Postfix
/etc/init.d/postfix reload

Verifying the sending

To verify if postfix really used TLS for sending emails to defined destinations, send a test email to one of these destinations, look in the headers of the received email at destination server and you should see the word ESMTPS in it like this:
Received: from mail.example.com (mail [175.62.74.110]) by mail.example2.com (Postfix) with ESMTPS id ADA581FE09E for (client2@example2.com);
Wed, 28 Dec 2011 19:06:33 +0100 (CET)

If it is similar then you’re done it. You have now TLS sending possible to selected Mail Servers.

Receiving side Postfix TLS configuration

In order for such SSL/TLS communications to happen the receiving side of the communication must also support SSL/TLS.
Here is an example of the configuration of Postfix for that support:
/etc/postfix/main.cf:
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/certs/wildcard.myserver.com.KEY.pem
smtpd_tls_cert_file = /etc/ssl/certs/wildcard.myserver.com.CRT.pem
smtpd_tls_CAfile = /etc/ssl/certs/wildcard.myserver.com.CA_Bundle.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_loglevel = 0
# Use only for debugging
# smtpd_tls_loglevel = 4

Reader's Comments

  1.    

    Thanks I like this guide. Just adding smtp_tls_security_level = may seems to have done the job for me!

    Reply to this comment
  2.    

    Worked like a charm. I have forced ‘google.com’ given I know they at least support TLS. Thanks for a great write-up.

    Reply to this comment
  3.    

    I have been looking for this all morning! Thank you

    Reply to this comment

Leave a Reply

%d bloggers like this: