[CentOS] TLS support on postfix

Wed Feb 8 02:04:03 UTC 2012
Nataraj <incoming-centos at rjl.com>

On 02/07/2012 04:50 PM, Kumar Krishna wrote:
> Hi List,
>
> I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP.
>
> >From the localhost when I do an EHLO, following is the output
>
> [root at xxxxxxx ~]# nc localhost 25
> 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix
> EHLO localhost
> 250-xxxxxxx.xxxx.xxx.xx
> 250-PIPELINING
> 250-SIZE 41943040
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
>
> However from a remote location when I do the EHLO, the response does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
>
> krishna at L03:~$ nc xxxxxxx.xxxx.xxx.xx 25
> 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix
> EHLO localhost       
> 250-xxxxxxx.xxxx.xxx.xx
> 250-PIPELINING
> 250-SIZE 41943040
> 250-VRFY
> 250-ETRN
> 250-AUTH PLAIN LOGIN
> 250 8BITMIME
>
>
> I have done some googling and found this might be because of the Cisco Router's "ESMTP Fix". However Can someone here tell me if there are any settings in master.cf or main.cf that might result in similar behaviour?
>
> Regards,
> KRiSHNA
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

>From http://www.postfix.org/TLS_README.html

By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may".
/etc/postfix/main.cf:
    smtpd_tls_security_level = may

With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.



My tls configuration looks something like this:

# INCOMING TLS (smtpd server)
smtpd_tls_security_level = may
smtpd_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/certs/tls.key
smtpd_tls_cert_file = /etc/postfix/certs/tls.crt
smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt
smtpd_tls_CApath = /etc/postfix/certs
smtpd_tls_loglevel = 1

smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# OUTGOING TLS (SMTP transport)
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes


Nataraj