[CentOS] TLS support on postfix

Nataraj incoming-centos at rjl.com
Wed Feb 8 06:31:58 UTC 2012 

On 02/07/2012 09:50 PM, Kumar Krishna wrote:
> On Tue, 07 Feb 2012 18:04:03 -0800
> Nataraj <incoming-centos at rjl.com> wrote:
>
>> On 02/07/2012 04:50 PM, Kumar Krishna wrote:
>>> Hi List,
>>>
>>> I have a postfix server based on CentOS 5 in which I have been
>>> trying to add TLS encryption support for SMTP.
>>>
>>> >From the localhost when I do an EHLO, following is the output
>>>
>>> [root at xxxxxxx ~]# nc localhost 25
>>> 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix
>>> EHLO localhost
>>> 250-xxxxxxx.xxxx.xxx.xx
>>> 250-PIPELINING
>>> 250-SIZE 41943040
>>> 250-VRFY
>>> 250-ETRN
>>> 250-STARTTLS
>>> 250-AUTH PLAIN LOGIN
>>> 250-AUTH=PLAIN LOGIN
>>> 250-ENHANCEDSTATUSCODES
>>> 250-8BITMIME
>>> 250 DSN
>>>
>>> However from a remote location when I do the EHLO, the response
>>> does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
>>>
>>> krishna at L03:~$ nc xxxxxxx.xxxx.xxx.xx 25
>>> 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix
>>> EHLO localhost       
>>> 250-xxxxxxx.xxxx.xxx.xx
>>> 250-PIPELINING
>>> 250-SIZE 41943040
>>> 250-VRFY
>>> 250-ETRN
>>> 250-AUTH PLAIN LOGIN
>>> 250 8BITMIME
>>>
>>>
>>> I have done some googling and found this might be because of the
>>> Cisco Router's "ESMTP Fix". However Can someone here tell me if
>>> there are any settings in master.cf or main.cf that might result in
>>> similar behaviour?
>>>
>>> Regards,
>>> KRiSHNA
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> >From http://www.postfix.org/TLS_README.html
>>
>> By default, TLS is disabled in the Postfix SMTP server, so no
>> difference to plain Postfix is visible. Explicitly switch it on with
>> "smtpd_tls_security_level = may". /etc/postfix/main.cf:
>> smtpd_tls_security_level = may
>>
>> With this, the Postfix SMTP server announces STARTTLS support to
>> remote SMTP clients, but does not require that clients use TLS
>> encryption.
>>
>>
>>
>> My tls configuration looks something like this:
>>
>> # INCOMING TLS (smtpd server)
>> smtpd_tls_security_level = may
>> smtpd_note_starttls_offer = yes
>> smtpd_tls_key_file = /etc/postfix/certs/tls.key
>> smtpd_tls_cert_file = /etc/postfix/certs/tls.crt
>> smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt
>> smtpd_tls_CApath = /etc/postfix/certs
>> smtpd_tls_loglevel = 1
>>
>> smtpd_tls_session_cache_timeout = 3600s
>> tls_random_source = dev:/dev/urandom
>>
>> # OUTGOING TLS (SMTP transport)
>> smtp_tls_loglevel = 1
>> smtp_tls_session_cache_database =
>> btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may
>> smtp_tls_note_starttls_offer = yes
>>
>>
>> Nataraj
> Thanks for the reply Nataraj, but still no joy. I tried adding 'smtp_tls_security_level = may' & 'smtpd_tls_security_level = may' to my existing configuration, but it didn't helped.
> Any ideas what else I might need to change in the configuration?
>
> Here is how my configuration looks like
>
> #ENCRYPTION
> #==========#
> # Incoming
> smtpd_tls_auth_only = no
> smtpd_note_starttls_offer = yes
> smtpd_use_tls = yes
> smtpd_tls_security_level = may
> smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
> smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_tls_received_header = yes
> tls_random_source = dev:/dev/urandom
>
> # Outgoing
> smtp_use_tls = yes
> smtp_tls_loglevel = 1
> smtp_tls_note_starttls_offer = yes
> smtp_tls_security_level = may
>
> Regards,
> KRiSHNA
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Did you reload the configuration with 'postfix reload' or 'service
postfix restart' after updating your config file?

Have you setup certificates?  I suggest you read
http://www.postfix.org/TLS_README.html
If you think you've set everything up correctly, run the command
'postconf -n | grep tls' and post the output.  You might also check the
archives of the postfix mailing list.  I'm sure there are extensive
postings for issues like this.

Nataraj

More information about the CentOS mailing list