Mail Server - Secure connection - Configuring Postfix
Now we've created our self-signed certificate, we can go ahead and configure Postfix to use it.
Contents |
Editing Main.cf
As with the previous Postfix configuration we need to edit the main.cf file:
sudo nano /etc/postfix/main.cf
TLS parameters
Halfway down the file you will see the section headed 'TLS parameters' with the following default entries:
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scacheIt may be easier to simply delete the existing default entries as shown above.
We will be replacing them with the following entries:
smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_use_tls = yes smtpd_tls_cert_file = /etc/ssl/certs/mailcert.pem smtpd_tls_key_file = $smtpd_tls_cert_file
Take a look at what we have done - all we are doing is enabling secure connections, what connections we will accept and, lastly, we define where the self-signed certificate is located.
PEM file (or lack thereof)
If you purchased a certificate or create a self-signed one using a different technique, you may find you don't actually have a 'pem' file but instead have two files.
One will be end with 'cert', the other will end with 'key'.
If that is the case you would change the final two lines shown above to something like this:
smtpd_tls_cert_file = /etc/ssl/cert/mailcert.cert smtpd_tls_key_file = /etc/ssl/private/mailcert.key
Of course, you would replace the path and name of the two files with your own but all you need to do is define the locations of both files.
Summary
Configuring Postfix to use our self-signed or purchased certificates allows us to have a secure connection when connecting to the mail server.
Now we can concentrate on installing Courier so we have POP and IMAP access to the mail server.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER
4 Comments
Multiple domains?
re: multiple domains
- Multiple instances of postfix, each configured for a different domain and certificate. You could use a proxy (nginx could work) to handle routing requests to the right instance based on the requested domain.
- A multi-domain certificate. This would only be practical if you have a pretty constant set of domains though, since it would be a pain to make a new certificate each time you want to add a new domain.
- A single domain used as the MX record for each domain. An MX record doesn't have to be in the same domain as the domain it's handling mail for, so "mail.example.com" could be the mail server of record for "domain.com", "otherdomain.com", etc. That way you only need to worry about a certificate for "mail.example.com" for the mail server.
That last option is the one most companies opt for. It's the easiest to maintain, and the MX record isn't visible enough that it will have much effect on anyone's branding.
re: re: multiple domains
re: Webmail
Add new comment