Log In
Register
SSL Brands
Sectigo SSL Certificates
RapidSSL Certificates
Thawte SSL Certificates
GeoTrust SSL Certificates
DigiCert SSL Certificates
Certificates
Single Domain Certificates
SSL Tools
CSR Generator
CSR Decoder
SSL Certificate Decoder
SSL Certificate Checker
SSL / Key Matcher
SSL Certificate Converter
Contact
GamesPostfix SSL/TLS Configuration Guide: RPM and Debian Systems
This guide covers configuring SSL/TLS encryption for existing Postfix installations on both RPM-based and Debian-based systems using paid SSL certificates.
Prerequisites
Before configuring SSL/TLS, ensure you have:
-
- Postfix already installed and running
- Your SSL certificate files (certificate, private key, CA bundle)
- Root or sudo access to the server
- Valid domain name configured for mail server
Install Paid SSL Certificate
Copy Certificate Files
For both RPM and Debian systems:
# Create SSL directory for Postfix (if not exists)
sudo mkdir -p /etc/postfix/ssl
# Copy certificate files
sudo cp your-cert.crt /etc/postfix/ssl/server.crt
sudo cp your-private.key /etc/postfix/ssl/server.key
sudo cp your-ca-bundle.crt /etc/postfix/ssl/ca-bundle.crt
# Set proper permissions
sudo chmod 644 /etc/postfix/ssl/server.crt
sudo chmod 600 /etc/postfix/ssl/server.key
sudo chmod 644 /etc/postfix/ssl/ca-bundle.crt
# Set ownership to postfix user
sudo chown postfix:postfix /etc/postfix/ssl/*
Configure Postfix SSL/TLS
Edit Main Configuration File
Edit /etc/postfix/main.cf and add/modify the following SSL/TLS settings:
sudo nano /etc/postfix/main.cf
Add these SSL/TLS configurations:
# TLS Parameters
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.crt
# Enable TLS
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
# Client TLS (for outgoing mail)
smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high
# TLS Session Cache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
# TLS Logging
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
# Additional Security
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, SRP, DSS, AECDH, ADH
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh2048.pem
Generate Diffie-Hellman Parameters
Create stronger DH parameters for enhanced security:
sudo openssl dhparam -out /etc/postfix/ssl/dh2048.pem 2048
sudo chmod 644 /etc/postfix/ssl/dh2048.pem
sudo chown postfix:postfix /etc/postfix/ssl/dh2048.pem
Configure Master.cf for SMTPS and Submission
Edit /etc/postfix/master.cf to enable secure ports:
sudo nano /etc/postfix/master.cf
Uncomment and configure these lines:
# SMTPS (port 465)
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# Submission (port 587)
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
Firewall Configuration
RPM-based Systems (CentOS/RHEL/Rocky Linux)
# Allow SMTP ports
sudo firewall-cmd --permanent --add-service=smtp
sudo firewall-cmd --permanent --add-service=smtps
sudo firewall-cmd --permanent --add-port=587/tcp
sudo firewall-cmd --reload
Debian-based Systems (Ubuntu/Debian)
# Allow SMTP ports
sudo ufw allow smtp
sudo ufw allow smtps
sudo ufw allow 587/tcp
sudo ufw reload
Restart and Test Postfix
Restart Postfix Service
# Test configuration syntax
sudo postfix check
# Restart Postfix
sudo systemctl restart postfix
sudo systemctl status postfix
Verify SSL/TLS Configuration
Test STARTTLS on port 25:
openssl s_client -connect your-domain.com:25 -starttls smtp
Test SMTPS on port 465:
openssl s_client -connect your-domain.com:465
Test Submission on port 587:
openssl s_client -connect your-domain.com:587 -starttls smtp
Check Postfix Logs
Monitor logs for SSL/TLS activity:
# RPM-based systems
sudo tail -f /var/log/maillog
# Debian-based systems
sudo tail -f /var/log/mail.log
Advanced SSL/TLS Settings
Enhanced Security Configuration
Add to /etc/postfix/main.cf for stricter security:
# Mandatory TLS for specific domains
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
# TLS fingerprint verification
smtp_tls_fingerprint_digest = sha256
# Opportunistic TLS
smtp_tls_connection_reuse = yes
# TLS certificate verification
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert = no
Create TLS Policy Map (Optional)
Create /etc/postfix/tls_policy for domain-specific TLS requirements:
sudo nano /etc/postfix/tls_policy
Add entries like:
gmail.com encrypt
outlook.com encrypt
your-partner.com verify
Generate hash database:
sudo postmap /etc/postfix/tls_policy
Troubleshooting
Common Issues
Certificate chain problems:
-
- Ensure CA bundle includes all intermediate certificates
- Verify certificate order in bundle file
Permission errors:
-
- Check file ownership and permissions
- Ensure postfix user can read certificate files
Connection issues:
-
- Verify firewall rules allow SMTP ports
- Check DNS MX records point to correct server
Testing Commands
# Check certificate validity
openssl x509 -in /etc/postfix/ssl/server.crt -text -noout
# Test SMTP authentication
telnet your-domain.com 587
# Check TLS protocols
nmap --script ssl-enum-ciphers -p 465,587 your-domain.com
Your Postfix mail server now supports secure SSL/TLS encrypted connections for both incoming and outgoing email.