SSL configuration for Postfix SMTP relay server

Written by
Linux Leave a Comment

Sometimes we need to use postfix as a relay SMTP server . This is needed if you have devices on your network that generates system emails and sent it to your mail. In most cases , it ends up in spam folder if you don’t have a proper relay server for these emails . So we need to have a smtp hostname ‘smtp.yourdomain.com’ . And you configure port 25 for all email relays . This works fine but the email servers like the google mail etc accepts your email but then shows a ‘red lock’ on your mails with a status ‘yourdomain.com did not encrypt this mail’ .

You need to use a proper SSL certificate to encrypt your emails and also to avoid these warning from google. This encryption might be a standard for all emails in future if google decides to drop any unencrypted mails . So its better to configure your email server with SSL certs . You can buy the certificates from any SSL vendors and you can also use letsencrypt certificates for this .

Once you get the certificates from the vendor , create a folder as below and copy the cert files to this location :

/etc/postfix/ssl/

Now open the postfix conf file ,

/etc/postfic/main.cf

Then configure the ‘smtp Auth’ which comes below the ‘My Networks’ options in the conf file . Please note this is just a stmp relay server , no dovecot or courier authentication is required in this set up . If you are using the certs for dovecot/courier ,the smtp auth configuration is different and you might need to enable the smtp_use_auth etc .There are lots of tutorials out there regarding those kind of set ups . 

####### smtp auth ########
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_key_file =   /etc/postfix/ssl/private.key
smtpd_tls_cert_file =   /etc/postfix/ssl/smtp_yourdomain_com.crt
smtpd_tls_CAfile =   /etc/postfix/ssl/smtp_yourdomain.ca-bundle
smtpd_tls_loglevel = 1
smtpd_tls_received_header   = yes
smtpd_tls_session_cache_timeout   = 3600s
tls_random_source =   dev:/dev/urandom

The next file to check is the /etc/master.cf . This is the file we configure the ports 25 , 465 etc for smtp relay. So if you are uisng ports 25 and 465 , these two below should be un commented .

smtp      inet  n       -       n       -       -       smtpd
465        inet  n       -       n       -       -       smtpd

Also it is recoomended to uncomment the below index and set to ‘may’ .If its set to ‘encryption’ , it will force all the emails to encrypt and if the receiving mail server is not configured for a TLS negotiation , the server will drop the mails . 

-o smtpd_tls_security_level=may

Any changes on main.cf or master.cf requires a postfix restart

postfix reload
service postfix restart

So if everything is fine you will start seeing ‘standard encryption’ in your emails in google as below :

By default , the postfix logs are in /var/log/maillog and you might need it for any troubleshooting .

© Copyright 2020.TechieNix. All Rights Reserved.