Install a certificate for postfix
1. Download the files
First of all, you need to get the files necessary to install your certificate. You need 2 files :
- Your private key: this file was generated along with your CSR when you ordered your certificate. If a password has been set on this key you have to decrypt it. You can do it directly with our online tool : private key decryption by your browser
- Your certificate and the certification chain: from the status page of your certificate, button "View certificate", click on the link "View certificate with chain". This will allow you to download your certificate and the chain in PEM format
2. Installation of the certificate
To install your certificate under postfix, you must edit the file main.cf to add or modify parameters.
The installation method differs depending on the version of Postfix that is installed.
For Postfix 3.4 and +
The Postfix documentation advises to install a single file that will contain :
- the private key
- the server certificate
- the certification chain
Open the file with the .pem extension retrieved in the first part and insert the content of your private key at the very beginning of this file.
The content should look like this:
--------------BEGIN PRIVATE KEY---------------- ... ... //your private key ... --------------END PRIVATE KEY---------------- --------------BEGIN CERTIFICATE---------------- ... ... //your server certificate ... --------------END CERTIFICATE---------------- --------------BEGIN CERTIFICATE---------------- ... ... // the intermediate certificate ... --------------END CERTIFICATE----------------
It is important that the file contains these 3 elements in this exact order, otherwise it will not work.
Then edit the main.cf file
- For the email reception part (SMTP server)
# directive for the certificat smtpd_tls_chain_files = /chemin/vers/votre/fichier.pem #directive for TLS smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 # activate the TLS smtpd_tls_security_level = may # recommanded for logs smtpd_tls_loglevel = 1 # recommanded for having TLS trace in headers smtpd_tls_received_header = yes # directive for ciphers smtpd_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT smtpd_tls_mandatory_ciphers = high
- For the email sending part (SMTP client):
#activate TLS if necessary smtp_tls_security_level = may #directive for TLS smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 # recommandé for logs smtp_tls_loglevel = 1 # directive for ciphers smtp_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT smtp_tls_mandatory_ciphers = medium
For Postfix 3.3 and -
- For the reception of emails (SMTP server):
# directive for certificate and chain certification smtpd_tls_cert_file = /chemin/vers/votre/fichier.pem smtpd_tls_key_file = /chemin/vers/votre/cléprivée.key #directive for TLS smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 # activate TLS smtpd_tls_security_level = may # recommanded for logs smtpd_tls_loglevel = 1 # recommanded for having TLS trace in headers smtpd_tls_received_header = yes # directive for ciphers smtpd_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT smtpd_tls_mandatory_ciphers = high
- For the email sending part (SMTP client):
#activate TLS if necessary smtp_tls_security_level = may #directive for TLS smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 # recommanded for logs smtp_tls_loglevel = 1 # directive for ciphers smtp_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT smtp_tls_mandatory_ciphers = medium
tlsmgr unix - - n 1000? 1 tlsmgrIf your configuration is standard you can stop here. For an advanced configuration, we recommend :
- To download, with OpenSSL, our trust authorities archive to be install in /etc/postfix/tbs-trusted-roots/
- Add the following lines to include certificates from other servers or users:
smtpd_tls_CAfile = /etc/postfix/tbs-trusted-roots/clientca.txt smtp_tls_CAfile = /etc/postfix/tbs-trusted-roots/allroots.txt
- If you want to force the encryption between 2 domains (for example intra-company or with partners), add
partners, add:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
And create the file /etc/postfix/tls_policy as:[127.0.0.1] none [127.0.0.1]:10024 none tbs-internet.com encrypt
Here you can precise which domains should use encryption. Do not forget the command postmap tls_policy to compile the postfix file. See smtp_tls_policy_maps documentation