[colug-432] postfix and TLS

Wed Feb 4 09:21:24 EST 2015

Rick Troth wrote:
> Is anyone running Postfix with TLS enabled?
> I have a cert and key pair, told Postfix where to find them, but still
> when a client sends "STARTTLS", server gives a "454 4.3.0 TLS not
> available due to local problem".
> 
> I haven't found anything in the logs nor any clues via search. But I
> expect one or more in this group has it working. Do ya?

There should be *something* in the logs about it. Maybe turn up your
smtpd_tls_loglevel. (Mine is normally at 1, but higher numbers are
useful for debugging.)

You've probably gotten past this part, but the first confusion I had
was making sure I had everything set up properly for both smtpd_*
(postfix as server) and smtp_* (postfix as client), not just one of
them. And smtp_* doesn't normally get any certificate setup.

The settings in master.cf can get you in subtle ways, especially
chroot, but it's complicated enough (and buried far enough back in my
memory) that I wouldn't worry too much about that until after getting
more log information. But if I remember right you do need to put your
certificate and key files inside the postfix directory structure for
things to work.

Here are my TLS-related settings for the smtpd side of things:

smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_cert_file = /etc/postfix/ssl/wildcard.funknet.net.pem
smtpd_tls_key_file = /etc/postfix/ssl/wildcard.funknet.net.key.pem
# Improve the TLS security a bit
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = medium
# enable elliptic-curve
smtpd_tls_eecdh_grade = strong

For the smtp (client) side it's much simpler:

smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
# risk man-in-the-middle
smtp_tls_enforce_peername = no
# Better TLS
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2
smtp_tls_mandatory_ciphers = high
smtp_tls_ciphers = medium

There are also some tls_* settings for improved crypto, but that's for
after you get the protocol working. There are also subtle differences
between mandatory and opportunistic encryption settings and
situations, and opportunistic encryption is much more permissive.

/etc/postfix/ssl has 0700 permissions and is owned by root, as is
everything inside it. The certificate file starts with my actual
certificate data (including the "-----BEGIN CERTIFICATE-----" part),
then after "-----END CERTIFICATE-----" it's immediately followed by the
intermediate certificate for the next level up (in my case that's
"AlphaSSL CA - SHA256 - G2"). The key file starts with
"-----BEGIN RSA PRIVATE KEY-----" and ends with
"-----END RSA PRIVATE KEY-----".