[CentOS] TLS support on postfix

Wed Feb 8 05:50:41 UTC 2012
Kumar Krishna <krishnak5891 at gmail.com>

On Tue, 07 Feb 2012 18:04:03 -0800
Nataraj <incoming-centos at rjl.com> wrote:

> On 02/07/2012 04:50 PM, Kumar Krishna wrote:
> > Hi List,
> >
> > I have a postfix server based on CentOS 5 in which I have been
> > trying to add TLS encryption support for SMTP.
> >
> > >From the localhost when I do an EHLO, following is the output
> >
> > [root at xxxxxxx ~]# nc localhost 25
> > 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix
> > EHLO localhost
> > 250-xxxxxxx.xxxx.xxx.xx
> > 250-PIPELINING
> > 250-SIZE 41943040
> > 250-VRFY
> > 250-ETRN
> > 250-STARTTLS
> > 250-AUTH PLAIN LOGIN
> > 250-AUTH=PLAIN LOGIN
> > 250-ENHANCEDSTATUSCODES
> > 250-8BITMIME
> > 250 DSN
> >
> > However from a remote location when I do the EHLO, the response
> > does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
> >
> > krishna at L03:~$ nc xxxxxxx.xxxx.xxx.xx 25
> > 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix
> > EHLO localhost       
> > 250-xxxxxxx.xxxx.xxx.xx
> > 250-PIPELINING
> > 250-SIZE 41943040
> > 250-VRFY
> > 250-ETRN
> > 250-AUTH PLAIN LOGIN
> > 250 8BITMIME
> >
> >
> > I have done some googling and found this might be because of the
> > Cisco Router's "ESMTP Fix". However Can someone here tell me if
> > there are any settings in master.cf or main.cf that might result in
> > similar behaviour?
> >
> > Regards,
> > KRiSHNA
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> 
> >From http://www.postfix.org/TLS_README.html
> 
> By default, TLS is disabled in the Postfix SMTP server, so no
> difference to plain Postfix is visible. Explicitly switch it on with
> "smtpd_tls_security_level = may". /etc/postfix/main.cf:
> smtpd_tls_security_level = may
> 
> With this, the Postfix SMTP server announces STARTTLS support to
> remote SMTP clients, but does not require that clients use TLS
> encryption.
> 
> 
> 
> My tls configuration looks something like this:
> 
> # INCOMING TLS (smtpd server)
> smtpd_tls_security_level = may
> smtpd_note_starttls_offer = yes
> smtpd_tls_key_file = /etc/postfix/certs/tls.key
> smtpd_tls_cert_file = /etc/postfix/certs/tls.crt
> smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt
> smtpd_tls_CApath = /etc/postfix/certs
> smtpd_tls_loglevel = 1
> 
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> 
> # OUTGOING TLS (SMTP transport)
> smtp_tls_loglevel = 1
> smtp_tls_session_cache_database =
> btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may
> smtp_tls_note_starttls_offer = yes
> 
> 
> Nataraj

Thanks for the reply Nataraj, but still no joy. I tried adding 'smtp_tls_security_level = may' & 'smtpd_tls_security_level = may' to my existing configuration, but it didn't helped.
Any ideas what else I might need to change in the configuration?

Here is how my configuration looks like

#ENCRYPTION
#==========#
# Incoming
smtpd_tls_auth_only = no
smtpd_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom

# Outgoing
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may

Regards,
KRiSHNA