Is there a howto for adding TLS to postfix?

hc:o

Which distribution do you use?

unbuntu breezy badger 5-10

Have a look here: http://www.howtoforge.com/perfect_setup_ubuntu_5.10_p4

Many thanks for your post.

If I only need TLS and not smtp-auth would that be ok and just install postfix-tls
and what other packages and follow the howto from which line please.

hotchili:)

I haven't tried without SMTP-AUTH yet. I think you should use SMTP-AUTH, or you will have an open relay for spammers...

here is whay my main.cf look like now

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/man
mydestination = $myhostname, localhost.$mydomain, $mydomain
myhostname = xstation.abcd.net
mynetworks = 192.168.1.0/24, 127.0.0.0/8
mynetworks_style = host
myorigin = /etc/mailname
newaliases_path = /usr/bin/newaliases
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
unknown_local_recipient_reject_code = 550



what I want the TLS to look something like is this

# TLS configuration
smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/tls/xstation_mail_req.pem
smtpd_tls_cert_file = /etc/postfix/tls/xstation_mail_cert.pem
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandomK

It's all described on the page I posted:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = server1.example.com'

Thanks for your reply.

Now that I have installed postfix already and want to go ahead with
your howto what should I do unistall postfix or just install the missing packages .

hc:)

If I want to specify the cipher DHE-RSA-AES256-SHA
what would the command line look like:
thanks

HC:)

Thanks for your reply.

Now that I have installed postfix already and want to go ahead with
your howto what should I do unistall postfix or just install the missing packages .

hc:)
Install the missing packages.

If I want to specify the cipher DHE-RSA-AES256-SHAWhat exactly do you want to do?

thanks for your reply

something like this see foot of page for ciphers

http://www.noreply.org/tls/cert-mail2.frell.eu.org.txt

The creation of the TLs certificates is described in the tutorial I posted.

ok I am set to start just a few things to clear up first.

a: in post 11 of this thread you said to install the missing packages
this has been done. but when installing postfix-tls the print out
was---Note, selecting postfix instead of postfix-tls
postfix is already the newest version.------


b: in post 8 of this thread you showed a print out --code ---etc is this where in the howto should I begin? bearing in mind I have postfix already configured--see post
7 of this thread.


hc:) :) :)


c:

a: in post 11 of this thread you said to install the missing packages
this has been done. but when installing postfix-tls the print out
was---Note, selecting postfix instead of postfix-tls
postfix is already the newest version.------
Because you already installed it when you did the Postfix configuration.


b: in post 8 of this thread you showed a print out --code ---etc is this where in the howto should I begin? bearing in mind I have postfix already configured--see post
7 of this thread.

Begin here: http://www.howtoforge.com/perfect_setup_ubuntu_5.10_p3 and leave out the Postfix configuration.

Thanks for your post.

Please can you highlight the part of the howto whch should not be used.



hc:)

Do not use the part you already did (the Postfix configuration). However, it doesn't cause problems if you do it again, so if you're in doubt, do the whole setup...

Thanks for your post Falko

Since postfix is configured I will start here :

http://www.howtoforge.com/perfect_setup_ubuntu_5.10_p4 as suggested
in post 4 of this thread

with the line: postconf -e 'smtpd_sasl_local_domain ='


-----------------------------------------------------------

In the line postconf -e 'smtpd_tls_auth_only = no'
I will answer yes to this as this is a personal preference




Hc:) :)

You should read my posts more carefullly:;)


Begin here: http://www.howtoforge.com/perfect_setup_ubuntu_5.10_p3 and leave out the Postfix configuration.