Prerequisites

Before you begin, ensure you have:

  • Root access to the mail server
  • Postfix installed and functioning
  • Your SSL certificate files (CRT and Key)

Step 1 — Configure Postfix (main.cf)

Edit the main Postfix configuration file, typically found at /etc/postfix/main.cf.

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/mail.yourdomain.com.crt
smtpd_tls_key_file=/etc/ssl/private/mail.yourdomain.com.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Recommended: Disable outdated protocols
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Step 2 — Enable Secure Ports (master.cf)

To allow users to connect via secure ports (465 and 587), edit /etc/postfix/master.cf. Ensure the following lines are uncommented:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Step 3 — Restart Postfix

After making changes, restart the Postfix service:

sudo systemctl restart postfix

Step 4 — Verify Installation

You can test the connection using openssl from the command line:

openssl s_client -starttls smtp -connect mail.yourdomain.com:587

If successful, you should see your certificate details in the output.

⚠️
Dovecot Integration: If you use Dovecot for IMAP/POP3, you should also install the SSL certificate there so your users can download their mail securely.