Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range

Install a certificate for postfix

First, prepare the certificate file containing your certificate (cert-0000000000-1234.cer file) and the certification chain (chain-0000000000-1234.txt file). For example:
cat cert-0000000000-1234.cer chain-0000000000-1234.txt > /etc/ssl/certs/my.certificate.and.chain.txt

If you haven't ordered your certificate yet, and want to generate a private key and a CSR, you can read our OpenSSL documentation.


To install your certificate under postfix, edit the file and add or modify parameters.

  1. For the email reception part (SMTP server):
    smtpd_tls_cert_file = /etc/ssl/certs/my.certificate.and.chain.txt
    smtpd_tls_key_file = /etc/ssl/private/my.private.key
    # enables TLS
    smtpd_tls_security_level = may	
    # Recommended for details in logs
    smtpd_tls_loglevel = 1		
    # recommanded to add a trace TLS in headers
    smtpd_tls_received_header = yes	
    smtpd_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_ciphers = medium
    smtpd_tls_protocols = !SSLv2, !SSLv3
  2. For the email delivery part (SMTP client):
    smtp_tls_security_level = may
    # recommanded for detailed logs
    smtp_tls_loglevel = 1	
    smtp_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
    smtp_tls_mandatory_ciphers = high
    smtp_tls_ciphers = medium
    smtp_tls_protocols = !SSLv2, !SSLv3
You will then have to edit the file to make sure the following instruction is uncommented:
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
It will be enough for a standard setup (you can stop reading here). For a more advanced setup, we recommand:
  • to retrieve our trust authorities archive to be install in /etc/postfix/tbs-trusted-roots/
  • Add the following lines to include certificates from other servers or users:
    smtpd_tls_CAfile = /etc/postfix/tbs-trusted-roots/clientca.txt
    smtp_tls_CAfile = /etc/postfix/tbs-trusted-roots/allroots.txt
  • If you want to enforce encryption between 2 domains (such as intra-organization or with partners), add:
    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
    And create the file /etc/postfix/tls_policy as:
    []             none
    []:10024       none       encrypt
    Here you can precise which domains should use encryption. Do not forget the command postmap tls_policy to compile the postfix file. See smtp_tls_policy_maps documentation

Useful links