Gentoo Wiki




This article will show you how to configure SSL/TLS under Postfix with server-side certificates to securely encrypt your connections.

This guide assumes you already have a working Postfix installation.

Certificate Creation

This guide will not deal with certificate creation since that is already covered elsewhere. If you want an easy-to-use graphical program for managing self-signed certificates, you may wish to check out easyca.

You will need to save the certificate files (there should be atleast 3 - a key file, a certificate file and a CA certificate file for each CA in the chain) on to the server. For example, you may choose to keep yours in a directory called /etc/ssl/mycerts.

Your certificate files should be owned by root and have permissions 0600 (ie. they can only be read by root).

Postfix does not support certificates which require a passphrase.

Your certificate must pass the openssl verify test for ssl server usage. For more information, see man openssl-verify

To verify your certificate passes this test, run: openssl verify -purpose sslserver certificate.pem

Certificate Setup

Postfix requires that the certificate file also contains the certificates for all CAs in the chain. These extra certificates should be ignored by other software, so you should still be able to use the same certificate file.

For each of the CA certificates in the chain, append the CA certificate to your server certificate: cat ca_certificate.pem >> certificate.pem

Note that if you're using a CA that your clients will already trust (basically if you paid for your certficate from a well known company like Verisign), you do not need to include the root CA certificate.

Package Setup

Postfix needs to be compiled with the ssl USE flag. To do this, add the following to /etc/portage/package.use:

File: /etc/portage/package.use
mail-mta/postfix ssl

And recompile Postfix with: emerge -av postfix


By default TLS support is completely disabled in Postfix. To enable encryption when it is supported, add the following to the end of /etc/postfix/

   smtpd_tls_security_level = may

For instances of Postfix that do not need to talk to public SMTP servers (eg. those running on a non-default port), you can set smtpd_tls_security_level = encrypt to force encryption.

Next you need to tell Postfix about your certificate. Postfix has different options for RSA and DSA key based certificates. If you don't know what type you have, you almost certainly have an RSA key based certificate.

RSA Key Certificates

For RSA key based certificates, add the following to the end of /etc/postfix/

   smtpd_tls_cert_file = /etc/ssl/mycerts/certificate.pem
   smtpd_tls_key_file = $smtpd_tls_cert_file

If your key is a separate file, replace the value of smtpd_tls_key_file with the location of the key file, for example:

   smtpd_tls_key_file = /etc/ssl/mycerts/key.pem

DSA Key Certificates

For DSA key based certificates, add the following to the end of /etc/postfix/

   smtpd_tls_dcert_file = /etc/postfix/certificate-dsa.pem
   smtpd_tls_dkey_file = $smtpd_tls_dcert_file

If your key is a separate file, replace the value of smtpd_tls_dkey_file with the location of the key file, for example:

   smtpd_tls_dkey_file = /etc/ssl/mycerts/key-dsa.pem

Requiring Encryption for Authenticated Users

Sending authentication (AUTH) data over an unencrypted connection poses a security risk. When TLS encryption is required ("smtpd_tls_security_level = encrypt"), the Postfix server will announce and accept AUTH only after the connection encryption has been activated with STARTTLS.

When encryption is optional ("smtpd_tls_security_level = may"), to maintain compatibility with non-TLS clients the default is to accept authentication without encryption. In order to change this behavior, add the following to the end of /etc/postfix/

   smtpd_tls_auth_only = yes

Always Encrypted Port (Wrapper Mode)

TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS, instead of announcing STARTTLS support and waiting for remote SMTP clients to request TLS service. Some clients, namely Outlook [Express] prefer the "wrapper" mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all ports).

To enable wrapper mode on the standard smtps port (965), add the following to /etc/postfix/

   smtps    inet  n       -       n       -       -       smtpd
     -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

What's next?

You can also set up client side certificate authentication. To improve TLS session performance, consider setting up session caching.

Retrieved from ""

Last modified: Fri, 13 Jun 2008 13:28:00 +0000 Hits: 884