Steps to create SSL for SMTP?

12 posts / 0 new
Last post
#1 Tue, 01/04/2011 - 14:20
kfawcett Pro Licensee

Steps to create SSL for SMTP?

What are the steps to create SMTPs.

I'm guessing I need a certificate? Is this correct? How do I do this (self signed)?

and then what?

Tue, 01/04/2011 - 17:30
andreychek

I don't recall what's enabled by default during the install -- it might already be setup. You can determine that by running:

netstat -an | grep :465

If that doesn't show any results, all you'd need to do to enable SMTPS is to edit /etc/postfix/master.cf, and uncomment the 3-4 lines starting with "smtps" (with several lines beginning with "-o" under it).

After uncommenting those, restart Postfix with:

/etc/init.d/postfix restart

Tue, 01/04/2011 - 22:13
kfawcett Pro Licensee

So no need for creating a certificate? I thought SSL needed a certificate?

These are the lines I uncommented:

smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject

I then restarted postfix and ran openssl s_client -connect myhostname:465

It returned this -> CONNECTED(00000003), but nothing else (supposedly it should show an SSL certificate when I connect and then hopefully prompt me with a SMTP 220 code and hostname). What else do I need to do?

Tue, 01/04/2011 - 22:20
andreychek

On most distros, SMTPS should be able to work by simply uncommenting the smtps related lines in the master.cf file.

It sounds like it's listening on port 465, which is good.

One thing you might try is to restart saslauthd, with "/etc/init.d/saslauthd restart".

If that doesn't help, take a peek in your mail log and see if there's any errors when you're connecting... the mail log is either /var/log/maillog or /var/log/mail.log, depending on your distro.

-Eric

Tue, 01/04/2011 - 22:55
kfawcett Pro Licensee

There's a lot in the logs, but I think these are the important lines...

Jan 5 04:49:16 server1 postfix/smtpd[2636]: fatal: No server certs available. TLS can't be enabled

Jan 5 04:49:17 server1 postfix/master[2407]: warning: process /usr/libexec/postfix/smtpd pid 2636 exit status 1

Jan 5 04:49:17 server1 postfix/master[2407]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

Wed, 01/05/2011 - 09:29
andreychek

Well, it certainly seems to be complaining about a lack of SSL certificates. You should, in theory, be able to setup SMTPS without needing anything outside of what's installed/available by default. It's Submission (on port 587) that typically requires generating a new set of certs.

However, either something is different on your setup, the defaults are different now than before, or I'm just getting old and not remembering what's required to get that running :-)

Anyhow, rather than fight it, let's just create those SSL certs :-)

The simplest way to do that would be to pick a Virtual Server that exists on your server whose name you'd like on the SSL certs. Let's assume you have a Virtual Server named "example.com", and that's the name you'd like on your SSL certs.

Firstly, go into Edit Virtual Server, go into Enabled Features, and check "SSL website enabled", then hit save. That'll generate an SSL cert that is put into Apache.

The next step would be to get that cert into your mail setup.

To do that, go into Server Configuration -> Manage SSL Certificate, and click "Copy to Postfix". That'll setup Postfix with that new SSL cert you just created.

I don't recall if that actually restarts Postfix... if not, you may need to manually restart it with "/etc/init.d/postfix restart".

And then, verify after restarting it that you aren't seeing any error messages.

Let us know if that does the trick!

-Eric

Wed, 01/05/2011 - 09:48
kfawcett Pro Licensee

Thanks Eric! Got it working.

Mon, 12/26/2011 - 02:43
yngens

I don't know if my Virtualmin setup can be deemed as old enough - from a year ago - but I also have to copy certificates to Postfix manually every time. Posting just to subscribe to the thread.

Mon, 12/26/2011 - 19:57
andreychek

Howdy,

Well, we'd always recommend using the most recent Virtualmin version. That one contains all the latest bugfixes and security updates, as well as nifty new features.

Recent Virtualmin versions have a "Copy to Postfix" option in Server Configuration -> Manage SSL Certificates.

-Eric

Wed, 03/07/2012 - 08:23
Karl

Thanks,

that's exactly how it worked on my CentOS server:

  1. Enable SMTPS, edit /etc/postfix/master.cf, and uncomment the 3-4 lines starting with "smtps" (with several lines beginning with "-o" under it). See here: https://www.virtualmin.com/node/16747#comment-74344

  2. Create SSL certs and copy to Postfix: See here: https://www.virtualmin.com/node/16747#comment-74365

SSL for SMTP is working now!

Thanks a lot!

Sun, 10/21/2012 - 11:16
briand Pro Licensee

this old information finally helped me crack this sending of email from Iphone. uncomment the master.cf file :)

thanks guys.

brian

Mon, 03/07/2016 - 15:53
azcunaga

Hi!

I've been trying to setup SSL on my server and still can't get it right.

I've just uncommented the "submission" section (in addition to smtp and smtps) of my Master.cf file as follows:

smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
#-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

I think I read I need to reissue the certificate to get things going, is that right??

Thanks!