JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Install a certificate for postfix

1. Download the files

First of all, you need to get the files necessary to install your certificate. You need 2 files :

  • Your private key: this file was generated along with your CSR when you ordered your certificate. If a password has been set on this key you have to decrypt it. You can do it directly with our online tool : private key decryption by your browser

  • Your certificate and the certification chain: from the status page of your certificate, button "View certificate", click on the link "View certificate with chain". This will allow you to download your certificate and the chain in PEM format

2. Installation of the certificate

To install your certificate under postfix, you must edit the file main.cf to add or modify parameters.

The installation method differs depending on the version of Postfix that is installed.

For Postfix 3.4 and +

The Postfix documentation advises to install a single file that will contain :

  • the private key
  • the server certificate
  • the certification chain

Open the file with the .pem extension retrieved in the first part and insert the content of your private key at the very beginning of this file.

The content should look like this:

    --------------BEGIN PRIVATE KEY----------------
...
... //your private key
...
    --------------END PRIVATE KEY----------------

    --------------BEGIN CERTIFICATE----------------
...
... //your server certificate
...
    --------------END CERTIFICATE----------------

    --------------BEGIN CERTIFICATE----------------
...
... // the intermediate certificate
...
    --------------END CERTIFICATE----------------

It is important that the file contains these 3 elements in this exact order, otherwise it will not work.

Then edit the main.cf file

  1. For the email reception part (SMTP server)
    # directive for the certificat
    smtpd_tls_chain_files = /chemin/vers/votre/fichier.pem
    
    #directive for TLS
    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    
    # activate the TLS
    smtpd_tls_security_level = may	
    
    # recommanded for logs
    smtpd_tls_loglevel = 1
    
    # recommanded for having TLS trace in headers
    smtpd_tls_received_header = yes
    
    # directive for ciphers
    smtpd_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
    smtpd_tls_mandatory_ciphers = high
    
            
  2. For the email sending part (SMTP client):
    #activate TLS if necessary
    smtp_tls_security_level = may
    
    #directive for TLS
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    
    # recommandé for logs
    smtp_tls_loglevel = 1
    
    # directive for ciphers
    smtp_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
    smtp_tls_mandatory_ciphers = medium
    
            

For Postfix 3.3 and -

  1. For the reception of emails (SMTP server):
    # directive for certificate and chain certification
    smtpd_tls_cert_file = /chemin/vers/votre/fichier.pem 
    smtpd_tls_key_file = /chemin/vers/votre/cléprivée.key
    
    #directive for TLS
    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    
    # activate TLS
    smtpd_tls_security_level = may	
    
    # recommanded for logs
    smtpd_tls_loglevel = 1
    
    # recommanded for having TLS trace in headers
    smtpd_tls_received_header = yes
    
    # directive for ciphers
    smtpd_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
    smtpd_tls_mandatory_ciphers = high
    
            
  2. For the email sending part (SMTP client):
    #activate TLS if necessary
    smtp_tls_security_level = may
    
    #directive for TLS
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    
    # recommanded for logs
    smtp_tls_loglevel = 1
    
    # directive for ciphers
    smtp_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
    smtp_tls_mandatory_ciphers = medium
    
            
You will then have to edit the master.cf to make sure that the following instruction is well uncommented:
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
If your configuration is standard you can stop here. For an advanced configuration, we recommend :
  • To download, with OpenSSL, our trust authorities archive to be install in /etc/postfix/tbs-trusted-roots/

  • Add the following lines to include certificates from other servers or users:
    smtpd_tls_CAfile = /etc/postfix/tbs-trusted-roots/clientca.txt
    smtp_tls_CAfile = /etc/postfix/tbs-trusted-roots/allroots.txt
        
  • If you want to force the encryption between 2 domains (for example intra-company or with partners), add partners, add:
    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
        
    And create the file /etc/postfix/tls_policy as:
    [127.0.0.1]             none
    [127.0.0.1]:10024       none
    tbs-internet.com       encrypt
    
    Here you can precise which domains should use encryption. Do not forget the command postmap tls_policy to compile the postfix file. See smtp_tls_policy_maps documentation

Useful links