Distroname and release: Debian Squeeze

Postfix with TLS


Enabling TLS for postfix will encrypt the e-mail between the client and the TLS endpoint, which in this case will be the postfix server.

Enabling TLS for postfix will only encrypt when sending and recieving e-mails through the MTA, it will NOT encrypt login informations when checking e-mails.
For this use IMAP and, or POP3.
Though it is possible to enable TLS for both courier-imap and courier-pop3, (which I have experience with) and other others as well.


You must have a fully functional postfix installation server up and running, and a an optional CA. If you do not have an CA it is possible to sign this with a public CA like verisign.

I will not show how to create an postfix installation, or an CA here, please check my other guides for this.

OK, ready? Lets continue. create certificate for mailserver
#openssl req -new -key ca.key -out mail_linuxlasse_net.csr
Sign the certificate if possible, or get a trusted CA to do it.
sh sign.sh mail_linuxlasse_net.csr
Create a new directory, and move or copy the key file and newly created certificate.
The key file must be non password protected!
In this case it is called insecure_ca.key.
#mkdir /etc/postfix/tls
#cp insecure_ca.key /etc/postfix/tls/
#mv mail_linuxlasse_net.crt /etc/postfix/tls
Now insert the following lines to /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/postfix/tls/mail_linuxlasse_net.crt
smtpd_tls_key_file = /etc/postfix/tls/insecure_ca.key
smtpd_tls_CAfile = /etc/postfix/tls/ca.crt

#inbound, use TLS if possible
smtpd_tls_security_level = may
#We want to have logging, for troubleshooting.
smtpd_tls_loglevel = 1

#outbound, use TLS if possible
smtp_tls_security_level = may
smtp_tls_loglevel = 1
After the changes, restart postfix.
#/etc/init.d/postfix restart
When postfix have restarted, it is time to check if TLS is enabled.
We will look if STARTTLS is there.
We can do this with telnet.
telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 mail.linuxlasse.net ESMTP
ehlo server.com
250-SIZE 10240000
250 DSN
The test is successfull, as you can see 250-STARTTLS

Now setup your mail client software to use STARTTLS!
It is likely you will get an certificate warning, if you have signed your own certificate from your own CA. If this is the case, just ignore it, meaning create and permanent acception of the certificate, or import the root ca to the client.

Errors and fixes

I have had this error, which is shown below.
postfix/smtpd[14616]: warning: TLS library problem: 14616:error:14094418:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1086:SSL alert number 48:
If I copy the CA certificate to the store of tls files it is working as inteded. I am not sure why, but it is working.
The location could differ from your setup.
#cp ca.crt /etc/postfix/tls
And restart postfix
#/etc/init.d/postfix restart
Note if you enable TLS, and are sending through and relay server which does not support TLS, outbound connections will ofcourse not be encryptet.
Do not trust the authors words! POC, tests and experience is key

Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!