Using Lets Encrypt With Postfix

How to configure Postfix to use Lets Encrypt certificates.

5539 views
d

By. Jacob

Edited: 2020-07-05 10:26

It is possible to use a lets encrypt certificate with Postfix SMTP server, all you have to do, is to include the path for the certificate in the Postfix configuration file and fiddle with a few options.

If this is your first time trying to setup a SMTP server, let us first go over some basics.

We do not have to host our SMTP server at a subdomain, but it can be a good idea anyway to avoid confusion. Typically e-mail servers will be listening on a different port than our web server, so there is nothing preventing us from running both our e-mail servers and our HTTP server from the bare domain (example.com).

Postfix is a SMTP server used to send and receive e-mail. We will still need to install a POP or IMAP server in order to download e-mail to our e-mail clients. Dovecot is one of the most popular choices. Another option is to read e-mail from a terminal after logging in via SSH.

Each user on the system can get their own e-mail address. Postfix will attempt to deliver e-mail to local users. Typically received mail will be stored in clear text at places like /var/mail/$user and /home/$user/mail.

Using lets encrypt rather than a self-signed certificate allows users to connect to our SMTP server using SSL/TLS and STARTTLS encryption options in their e-mail clients. Once this is working, it is recommended to configure Postfix to reject unencrypted connection attempts.

Obtaining a lets encrypt certificate

Depending on your configuration, you might not need to obtain a separate certificate for the subdomain where your e-mail server is running. When you type letsencrypt in the terminal, you will be given the option of picking the virtual hosts (VHOST) that your certificate should cover. I suggest you include all your subdomains.

If your SMTP server is hosted at a subdomain, such as smtp.example.com or send.example.com, you might need to obtain a certificate for the subdomain. This is however only necessary if you did not include the subdomain when obtaining the certificate for your website.

It can be a good idea to include all your subdomains in the same certificate, as it makes it easier to maintain many subdomains.

Lets encrypt with Postfix for sending e-mail

If you now got your certificate ready, it should be located in the /etc/letsencrypt/live/example.com/ directory. You can try to navigate to the directory to get an overview of all your certificates:

cd /etc/letsencrypt/live/
ls

To use this certificate with Postfix, you simply need to link to it from Postfix's configuration. The main configuration file of Postfix should be located in: /etc/postfix/main.cf.

The following options should enable Postfix to connect to other e-mail servers via SSL:

smtp_use_tls=yes
smtp_tls_loglevel=1
smtp_tls_security_level=may
smtp_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem

smtp_use_tls = yes will attempt to use a TLS connection, if supported by the receiving e-mail server. If not, the e-mail message should return to the queue, and not be sent (delivery attempt is deferred).

smtp_tls_loglevel = 1 will only log a summary about the SSL handshake. Setting this to "0" will turn off logging of TLS activity.

smtp_tls_security_level=may the "may" value indicated that TLS should be used if STARTTLS is supported by the server. If not supported, messages will be sent in the clear.

Allowing users to connect via TLS

There are two option prefixes dealing with encryption. One is for delivering e-mail to the outside world (smtp), while the other prefix (smtpd) is used when users attempt to send e-mail through your server from e-mail clients such as Thunderbird and outlook.

To allow users to connect to your SMTP server using SSL/TLS or STARTTLS, you simply link to the certificates for smtpd as well. There might be a "snakeoil" certificate linked in your configuration, you should replace this with the one you got from lets encrypt.

smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_auth_only=yes
smtpd_tls_loglevel=1
smtpd_tls_received_header=yes

The snakeoil certificate is not secure, and should be replaced with a properly signed certificate, such as those we can get from Lets Encrypt.

smtpd_tls_received_header = yes, Request that Postfix produces received message headers with information about protocol and cipher used, as well as SMTP client- and certificate issuer CommonName.

smtpd_tls_auth_only = yes requires TLS encryption before trying to authenticate using username/password.

Tell us what you think:

  1. Removing messed up certificates from letsencrypt manually and requesting a clean certificate.
  2. How to configure a SMTP server with letsencrypt on an amazon EC2 instance.

More in: Lets Encrypt