How to enable inbound TLS(starttls) in Postfix with Signed Certificate from CA(LetsEncrypt)

Most of the time Postfix is configured with self signed certificate which works well because mostly certificate validation is not required by MTAs. Though it can be useful for applications or mailbox users connecting to central MTA to delivery of emails.

You can either buy SSL certificate from your provider or use letscrypt.org free certificates(needs to be renewed every 3 months). In this guide, i will use letencrypt certificate for my mx host console.postfix.io.

I use letsencrypt utility to manage certificate for my domains, below command will generate standalone certificate for my host.

letsencrypt certonly --standalone -d console.postfix.io

The output..

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/console.postfix.io/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/console.postfix.io/privkey.pem
...

Open main.cf

vim /etc/postfix/main.cf

Replace the following lines :

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

to the following letsencrypt certificates path :

smtpd_tls_cert_file=/etc/letsencrypt/live/console.postfix.io/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/console.postfix.io/privkey.pem

Reload postfix

systemctl reload postfix.service

You can verify certificate validation using http://checktls.com/perl/TestService.pl. See below test results after configuring for console.postfix.io

Postfix inbound TLS with letsencrypt

How to enable Outbound Opportunistic TLS in Postfix

Most ISPs like Gmail, Hotmail and Yahoo now support Server-side-tls. ESPs like Sendgrid, Sparkpost, Mailchimp have also enabled outbound TLS in their MTAs.

You can either enforce Postfix to always use TLS or the other recommend way is to use ‘Opportunistic TLS’ so Postfix should use TLS when the recipient domain supports it otherwise falls back to non-TLS connection.

vim /etc/postfix/main.cf

Add after “smtp_banner” settings.

smtp_tls_security_level = may

Reload Postfix

systemctl reload postfix.service

Verify logs for errors.

tail -f /var/log/mail.log

Expected output:

Nov 26 13:21:54 console postfix/postfix-script[9285]: refreshing the Postfix mail system
Nov 26 13:21:54 console postfix/master[2323]: reload -- version 3.1.0, configuration /etc/postfix