Postfix/TLS - Configuring main.cf
To use the TLS extension you need to feed some information to postfix.
Please see also the conf/sample-tls.cf file.
smptd (server) specific variables
# To use TLS we do need a certificate and a private key. Both must be in
# "pem" format, the private key must not be encrypted, that does mean:
# it must be accessable without password. Both parts (certificate and
# private key) may be in the same file.
#
# smtpd_tls_cert_file = /etc/postfix/server.pem
# smtpd_tls_key_file = $tls_cert_file
# The certificate was issued by a certification authority (CA), of which
# the CA-cert must be available. This file may also contain the the
# CA certificates of other trusted CAs. You must use this file for the
# list of trusted CAs if you want to use chroot-mode.
#
# smtpd_tls_CAfile = /etc/postfix/CAcert.pem
# To verify the peer certificate, we need to know the certificates of
# certification authorities. These certificates in "pem" format are
# collected in a directory. The same CAs are offered to clients for
# client verification. Don't forget to create the necessary "hash"
# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
# no default and you explicitly have to set the value here!
# This will not work in chroot mode, use the tls_CAfile instead.
#
smtpd_tls_CApath = /etc/postfix/certs
# To get additional information during the TLS setup and negotiations
# you can increase the loglevel from 0..4:
# 0: No output about the TLS subsystem
# 1: Printout startup and certificate information
# 2: 1 + Printout of levels during negotiation
# 3: 2 + Hex and ASCII dump of negotiation process
# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
# discouraged.
#
# smtpd_tls_loglevel = 0
# By default TLS is disabled, so no difference to plain postfix is visible.
# Explicitely switch it on here:
#
smtpd_use_tls = yes
# You can ENFORCE the use of TLS, so that no commands (except QUIT of course)
# are allowed without TLS. According to RFC2487 this MUST NOT be applied
# in case of a publicly-referenced SMTP server. So this option is off
# by default and should only seldom be used. Using this option implies
# smtpd_use_tls = yes
#
# smtpd_enforce_tls = no
# To receive a client certificate, the server must explicitly ask for one.
# Hence netscape will either complain if no certificate is available (for
# the list of CAs in /etc/postfix/certs) or will offer you client certificates
# to choose from. This might be annoying, so this option is "off" by default.
# You will however need the certificate if you want to to e.g. certificate
# based relaying.
#
# smtpd_tls_ask_ccert = no
# You may also decide to REQUIRE a client certificate to allow TLS connections.
# I don't think it will be necessary often, it is however included here for
# completeness. This option implies smtpd_tls_ask_ccert = yes
#
# smtpd_tls_req_ccert = no
# The verification depth for client certificates. The default (1) is
# sufficient, if the client certificate ist directly issued by a CA
# listed under $tls_CApath
#
# smtpd_tls_ccert_vd = 1
# One additional option has been added for relay control to the UCE rules:
# check_relay_ccerts. If this option is added to smtpd_recipient_restrictions
# postfix will relay if a valid client certificate is presented and in the
# list of client certs (relay_clientcerts).
#
# smtpd_recipient_restrictions = check_relay_ccerts
# The list of client certificates for which relaying will be allowed.
# Unfortunately the routines for lists in postfix use whitespaces as
# seperators and choke on special chars. So using the certificate
# X509ONELINES is quite impractical. We will use the fingerprints at
# this point, as they are difficult to fake but easy to use for lookup.
# There is just one small problem: The colon ':' is interpreted as
# seperator between database type and filename, so we must avoid it.
# We use the underscore "_" instead.
# As postmap (when using e.g. db) insists of having a pair of key and value,
# but we only need the key, the value can be chosen freely, e.g. the name
# of the user or host:
# D7_04_2F_A7_0B_8C_A5_21_FA_31_77_E1_41_8A_EE_80 lutzpc.at.home
#
# relay_clientcerts = hash:/etc/postfix/relay_clientcerts
smptd (server) specific variables
# During the startup negotiation we might present a certificate to the server.
# Netscape is rather clever here and lets the user select between only those
# certs that will match the CAs accepted from the server. As I simply use
# the integrated "SSL_connect()" from the OpenSSL package, this is not
# possible by now and we have to chose just one cert.
# So for now the default is to use _no_ cert and key unless explictly
# set here. It is possible to use the same key/cert pair as for the server.
# If a cert is to be presented, it must be in "pem" format, the private key
# must not be encrypted, that does mean: it must be accessable without
# password. Both parts (certificate and # private key) may be in the
# same file.
#
smtp_tls_cert_file = /etc/postfix/server.pem
smtp_tls_key_file = $tls_cert_file
# The certificate was issued by a certification authority (CA), of which
# the CA-cert must be available. This file may also contain the the
# CA certificates of other trusted CAs. You must use this file for the
# list of trusted CAs if you want to use chroot-mode.
# No default is supplied for this value as of now.
#
smtp_tls_CAfile = /etc/postfix/CAcert.pem
# To verify the peer certificate, we need to know the certificates of
# certification authorities. These certificates in "pem" format are
# collected in a directory. Don't forget to create the necessary "hash"
# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
# no default and you explicitly have to set the value here!
# This will not work in chroot mode, use the tls_CAfile instead.
#
smtp_tls_CApath = /etc/postfix/certs
# To get additional information during the TLS setup and negotiations
# you can increase the loglevel from 0..4:
# 0: No output about the TLS subsystem
# 1: Printout startup and certificate information
# 2: 1 + Printout of levels during negotiation
# 3: 2 + Hex and ASCII dump of negotiation process
# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
# discouraged.
#
smtp_tls_loglevel = 0
# By default TLS is disabled, so no difference to plain postfix is visible.
# If you enable TLS it will be used when offered by the server.
# Explicitely switch it on here:
#
smtp_use_tls = yes
# You can ENFORCE the use of TLS, so that only connections with TLS will
# be accepted.
# THIS IS NOT IMPLEMENTED, YET. It is also very likely, that it will never
# be realized that way. It is far better to have a list of sites, to which
# we will only connect in TLS mode, as we know that they support TLS.
#
# The second problem is the problem of verifying the certificate. Enforcing
# only makes sense when the CN is checked against the actual hostname,
# and this requires agreement about accepted CAs. So as of now, all of this
# still open.
#
# smtp_enforce_tls = no
# The verification depth for certificates. The default (1) is sufficient,
# if the certificate ist directly issued by a CA listed under $tls_CApath
#
# smtp_tls_ccert_vd = 1