In this guide, we’ll see how to install, configure and enable TLS encryption and SMTP authentication on Postfix, a free mail transfer agent for Ubuntu. This will allow your web server to send email notifications (for WordPress for example) and to do it in a way that respect the encryption standards.
This guide is for Ubuntu 16.04, but note that this tutorial should also perfectly work on an Ubuntu 14.04 web server.
1. Install Postfix
1. Run this command to start the Postfix installation:
apt-get install postfix
2. Choose “Internet Site”
3. Enter the FQDN of the server
2. Edit the Aliases
Edit this file:
nano /etc/aliases
Add the missing “root” line:
# See man 5 aliases for format postmaster: root root: [email protected]
For more informations:
3. Reconfigure Postfix
To ensure everything is set properly, we’ll run this command:
sudo dpkg-reconfigure postfix
If not done already, change the System Domain name to your FQDN:
hostname.domain.com
In the “Root and postmaster mail recipient” field, add the name of the main admin user:
your_admin_user_name
Other destinations for mail:
server1.example.com, example.com, localhost.example.com, localhost
Force synchronous updates on mail queue? Answer: No
Leave the local networks as is.
Mailbox size limit (bytes): 0
Local address extension character: +
Internet protocols to use: all
4. Optional: Configure the mailbox format (Advanced Users Only)
If you are not sure about this, just skip it and go directly to step 5.
To configure the mailbox format for Maildir:
sudo postconf -e 'home_mailbox = Maildir/'
You may need to issue this as well:
sudo postconf -e 'mailbox_command ='
Note: This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.
5. Enable TLS Encryption For Postfix
Configure Postfix to do SMTP AUTH using SASL (saslauthd):
sudo postconf -e 'smtpd_sasl_local_domain =' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' sudo postconf -e 'inet_interfaces = all'
Create or edit this file:
nano /etc/postfix/sasl/smtpd.conf
Add the following lines:
pwcheck_method: saslauthd mech_list: plain login
6. Generate certificates to be used for TLS encryption and/or certificate Authentication
touch smtpd.key chmod 600 smtpd.key openssl genrsa 1024 > smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/
7. Configure Postfix to do TLS encryption for both incoming and outgoing mail
sudo postconf -e 'smtp_tls_security_level = may' sudo postconf -e 'smtpd_tls_security_level = may' sudo postconf -e 'smtpd_tls_auth_only = no' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s' sudo postconf -e 'tls_random_source = dev:/dev/urandom'
Remember to change this to yours:
sudo postconf -e 'myhostname = server1.example.com'
8. Restart the postfix daemon like this
sudo /etc/init.d/postfix restart
9. Configure Postfix To Use SASL For SMTP AUTH
Install libsasl2-2, sasl2-bin and libsasl2-modules
apt-get install libsasl2-2 sasl2-bin libsasl2-modules
Edit this file in order to activate saslauthd:
nano /etc/default/saslauthd
Remove # in front of START=yes, add the PWDIR, PARAMS, and PIDFILE lines and edit the OPTIONS line at the end:
# This needs to be uncommented before saslauthd will be run automatically
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"
# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
#OPTIONS="-c"
#make sure you set the options here otherwise it ignores params above and will not work
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
We then update the dpkg “state” of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:
sudo dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
Note: This may report an error that “–update given” and the “/var/spool/postfix/var/run/saslauthd” directory does not exist. You can ignore this because when you start saslauthd next it will be created.
Apparently, the saslauthd looks for the config file /etc/saslauthd and not for /etc/default/saslauthd. This link fixes this issue:
sudo ln -s /etc/default/saslauthd /etc/saslauthd
10. Finally, start saslauthd
sudo /etc/init.d/saslauthd start
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your postfix mail server type:
ehlo localhost
If you see the lines:
250-STARTTLS 250-AUTH
…among others, everything is working. Type quit to return to the system’s shell.
Your server should now send encrypted messages. If you still get a warning from your email provider, consider adding an SPF text to your DNS.
To get more information about Postfix and its options, check Help Ubuntu.
Leave A Comment