Postfix/TLS Configuration Summary

Following is a summary of the steps to follow in order to set up Postfix to use TLS:

1. If it’s not already installed on your system, install the OpenSSL distribution that you’ll need to generate TLS certificates.
2. Recompile and reinstall Postfix with the TLS patch (see Appendix C) or obtain a Postfix distribution that includes the TLS code.
3. Generate server certificates including a certificate-signing request. You can vali- date the signing request yourself if you’re acting as your own CA or send it to a third-party CA for validation.
4. Install your certificates (server secret key, signed public certificate, and your CA’s public certificate) into the Postfix directory.
5. Edit main.cf and set the following parameters for TLS:

   smtpd_use_tls = yes
   smtpd_tls_key_file = /etc/postfix/mailkey.pem
   smtpd_tls_cert_file = /etc/postfix/mail_signed_cert.pem
   smtpd_tls_CAfile = /etc/postfix/cacert.pem
   

If there are other TLS parameters that you want to set, do so here (see the TLS patches documentation).

1. Reload Postfix so that it recognizes the changes in its main.cf configuration file:

   # postfix reload
   

Now, when a client requests an encrypted session, your server should be able to respond appropriately.