Postfix Encryption

Postfix handles encryption separately for sending (smtp) and receiving (smtpd) mail.

Contents

  1. Postfix Encryption
    1. Receiving Encrypted Mail
      1. Certificates Directives
    2. Sending Encrypted Mail

Receiving Encrypted Mail

The basic configuration for inbound mail is: 

smtpd_tls_security_level = may
smtpd_tls_chain_files = /etc/letsencrypt/live/mail.example.com/mail.example.com.pem
smtpd_tls_wrappermode = yes

A looser encryption level like may is often appropriate because some senders may be simple and not need encryption.

Certificates Directives

The certificate file needed for the smtpd_tls_chain_files directive is actually the concatenation of a key and certificate. 

cd /etc/letsencrypt/live/mail.example.com/ && cat privkey.pem fullchain.pem > mail.example.com.pem

The smtpd_tls_chain_files option can be set to a comma- or space-delimited list of certificate files, usually referring to different algorithms. 

smtpd_tls_chain_files = /etc/postfix/rsakey.pem, /etc/postfix/rsacerts.pem, /etc/postfix/ecdsakey.pem, /etc/postfix/ecdsacerts.pem

While deprecated and discouraged, these options also exist for RSA key and certificate pairs. 

smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem

There are different named options for each algorithm, and race conditions can be hit if files are updated between reading a key and certificate pair.

Sending Encrypted Mail

The basic configuration for outgoing mail is: 

smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

An aggressive encryption level like encrypt is appropriate here because nearly any mail server should accept STARTTLS directives.

CategoryRicottone

Postfix/Encryption (last edited 2023-06-29 19:50:01 by DominicRicottone)