Enabling STARTTLS and certificate verification in Postfix

1. Obtain a certificate, using the server name for the Common Name (CN). This may be the value from myhostname in the postfix configuration.

   Upon completion you will have a private-key file (host.key) and public-key (certificate) file (host.cert). Rename the files as needed, or adjust the values in the next step.

2. Edit your configure file (sometimes called main.cf), adding these lines

   smtpd_use_tls = yes
   smtpd_tls_auth_only = yes
   smtpd_tls_key_file = /etc/postfix/certs/host.key
   smtpd_tls_cert_file = /etc/postfix/certs/host.cert
   smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
   smtpd_tls_loglevel = 2
   smtpd_tls_received_header = yes
   smtpd_tls_session_cache_timeout = 3600s
   tls_random_source = dev:/dev/urandom
   smtp_use_tls = yes
   smtp_tls_note_starttls_offer = yes
   smtp_tls_key_file = /etc/postfix/certs/host.key
   smtp_tls_cert_file = /etc/postfix/certs/host.certm
   smtpd_tls_ask_ccert = yes
   smtpd_tls_req_ccert = no
   

3. To get Postfix to require verified certificates on inbound transactions, adjust this setting to yes. This is not RFC3207 compliant behavior.

   smtpd_tls_req_ccert = yes
   

4. Create your /etc/postfix/certs folder and put the files there.

   mkdir /etc/postfix/certs
   cp host.key host.cert /etc/postfix/certs/
   

5. You'll also want a CA certificate for verifying your MTA peers. You may download the Credentia CA certificate from here. Other CA certificates (VeriSign, Thawte, Geotrust etc) can simply be exported from Internet Explorer (Windows) or Netscape/Mozilla (Unix/Linux).

   cp credentia1.cacert /etc/postfix/certs/cacert.pem
   

6. Now restart Postfix and you're done. Watch the mail log to see the STARTTLS in action.

Where to find support

See Also