Configuring SSL/TLS For Postfix

19th June, 2017 by

Most internet technologies are inherently insecure. For example, transmitting your data and even login credentials between your computer and servers in plain text can be compromising. This is because most of the technologies were designed before the internet even existed. They were used on smaller independent networks where both the network and the systems could be trusted by other users. Secure Sockets Layer (SSL) came about as an attempt to provide a mechanism for securing network communications between an application and a server that could be used by existing applications without them needing to handle their own encryption and security systems. But the question is, how can SSL help you?

What is an SSL?

Originally developed at Netscape, the technology’s descendent Transport Layer Security (TLS) is in common use today. Many people now refer to it as SSL, especially as many SSL libraries such as OpenSSL and LibreSSL carry out the TLS functions.

Most people are familiar with using SSL with web servers and configuring HTTPS for secure connections. Many applications can use SSL to encrypt their connections, and email systems are no different.

This time we’ll look at how we can secure your Postfix mail server using SSL.

Take note that from this point forward we will be assuming that you are configuring on a dedicated server or VPS that is already Postfix configured and working.

If you like this post, check out another from Hayden and our terrific tech support team.

You will need to get OpenSSL installing on the server before you can proceed. This can easily be done by using the commands below. For Debian/Ubuntu systems, use the following commands:

    sudo apt-get update
    sudo apt-get install openssl

For CentOS/RedHat users, you can use this command:

    sudo yum install openssl

First, you will need an SSL Certificate. If you already have an SSL installed on the server’s hostname (i.e., this can be utilized for Postfix mail server secure connections. Just make sure you configure your mail client to connect to the server’s hostname and no further certificates are required.

If you are using a different domain name (i.e. for the website and for the mail server), then you’ll need to generate a new certificate.

If you like this post from Hayden, try out a few others here for ultimate tech knowledge.

To make things easier to track we’ll keep the SSL certificate in its own directory, so we’ll create that with the following command:

    sudo mkdir /etc/postfix/ssl

Now we’ll create the CSR needed to create the SSL certificate:

    sudo cd /etc/postfix/ssl
    sudo openssl req -nodes -newkey rsa:2048 -keyout -out

Note that in the line above, change “” to be the domain you have configured for your mail server.

The name doesn’t need to be identical, but it helps you keep track of your certificates by matching the domain that the certificates are for. 

Once this task is done, you can then apply for an SSL certificate with your chosen provider. And once you have retrieved your certificate, you can save it in the same directory on the server.

From here we’ll assume you’ve saved your certificate with the same name, so Also put any intermediate certificate files that came with your bundle in that directory.

Next we need to configure Postfix to use this SSL certificate. 

This is done by editing the /etc/postfix/ file and setting the TLS parameters. In the standard file that comes with Debian/Ubuntu this section already exists and will need adjusting to match the below. 

On CentOS/RedHat systems you’ll need to add these directives to the file:

    smtpd_use_tls = yes
    smtpd_tls_auth_only = yes
    smtpd_tls_key_file = /etc/postfix/ssl/
    smtpd_tls_cert_file = /etc/postfix/ssl/
    smtpd_tls_CAfile = /etc/postfix/ssl/caroot.crt
    smtpd_tls_loglevel = 1

As before, change to match your domain name that you are using on the server.

Also, you will need to change caroot.crt to match the certificate authority’s root filename that is issued in your certificate bundle. With these changes made, save and exit the file.

You can now reload the Postfix config to begin using it.

    sudo service postfix reload

Postfix should now support incoming connections using SSL, meaning that your emails should now be encrypted and secure during transmission to your client.


To follow Hayden’s next technical topic, and who wouldn’t want ‘must-have’ information dropping into your inbox, sign up for our weekly newsletter below.

(Visited 13 times, 1 visits today)