Configuring Postfix to support TLS
Postfix can utilize TLS for securing communication in a few ways. We're going to look at each of them.
How to do it…
Require TLS for authentication of local clients:
This is already handled in our existing configuration through the
smtpd_tls_security_level=encryptoption for the submission port.Allow TLS of inbound/outbound mail delivery:
$ sudo postconf –e smtpd_tls_security_level=maySet the TLS key and certificate files:
$ sudo postconf –e smtpd_tls_cert_file=/path/to/server.crt $ sudo postconf –e smtpd_tls_key_file=/path/to/server.key
How it works…
The most important thing we want to do here is ensure that passwords are not sent in plaintext. This means requiring authentication on the submission port, which the user interacts with.
Unfortunately, when it comes to SMTP delivery, large swaths of the internet still do not allow SMTP over TLS, so forcing TLS may very well result in undeliverable e-mail. Instead we use the may keyword to tell Postfix to use TLS...
