In this guide, we’ll see how to install, configure and enable TLS encryption and SMTP authentication on Postfix, a free mail transfer agent for Ubuntu. This will allow your web server to send email notifications (for WordPress for example) and to do it in a way that respect the encryption standards.

This guide is for Ubuntu 16.04, but note that this tutorial should also perfectly work on an Ubuntu 14.04 web server.

1. Install Postfix

1. Run this command to start the Postfix installation:

apt-get install postfix

2. Choose “Internet Site”

3. Enter the FQDN of the server

2. Edit the Aliases

Edit this file:

nano /etc/aliases

Add the missing “root” line:

# See man 5 aliases for format
postmaster:    root
root:          [email protected]

For more informations:

3. Reconfigure Postfix

To ensure everything is set properly, we’ll run this command:

sudo dpkg-reconfigure postfix

If not done already, change the System Domain name to your FQDN:

In the “Root and postmaster mail recipient” field, add the name of the main admin user:


Other destinations for mail:,,, localhost

Force synchronous updates on mail queue? Answer: No

Leave the local networks as is.

Mailbox size limit (bytes): 0

Local address extension character: +

Internet protocols to use: all

4. Optional: Configure the mailbox format (Advanced Users Only)

If you are not sure about this, just skip it and go directly to step 5.

To configure the mailbox format for Maildir:

sudo postconf -e 'home_mailbox = Maildir/'

You may need to issue this as well:

sudo postconf -e 'mailbox_command ='

Note: This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.

5. Enable TLS Encryption For Postfix

Configure Postfix to do SMTP AUTH using SASL (saslauthd):

sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'

Create or edit this file:

nano /etc/postfix/sasl/smtpd.conf

Add the following lines:

pwcheck_method: saslauthd
mech_list: plain login

6. Generate certificates to be used for TLS encryption and/or certificate Authentication

touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

7. Configure Postfix to do TLS encryption for both incoming and outgoing mail

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'

Remember to change this to yours:

sudo postconf -e 'myhostname ='

8. Restart the postfix daemon like this

sudo /etc/init.d/postfix restart

9. Configure Postfix To Use SASL For SMTP AUTH

Install libsasl2-2, sasl2-bin and libsasl2-modules

apt-get install libsasl2-2 sasl2-bin libsasl2-modules

Edit this file in order to activate saslauthd:

nano /etc/default/saslauthd

Remove # in front of START=yes, add the PWDIR, PARAMS, and PIDFILE lines and edit the OPTIONS line at the end:

# This needs to be uncommented before saslauthd will be run automatically


# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"


# Other options (default: -c)
# See the saslauthd man page for information about these options.
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian

#make sure you set the options here otherwise it ignores params above and will not work
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

We then update the dpkg “state” of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:

sudo dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

Note: This may report an error that “–update given” and the “/var/spool/postfix/var/run/saslauthd” directory does not exist. You can ignore this because when you start saslauthd next it will be created.

Apparently, the saslauthd looks for the config file /etc/saslauthd and not for /etc/default/saslauthd. This link fixes this issue:

sudo ln -s /etc/default/saslauthd /etc/saslauthd

10. Finally, start saslauthd

sudo /etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type:

ehlo localhost

If you see the lines:


…among others, everything is working. Type quit to return to the system’s shell.

Your server should now send encrypted messages. If you still get a warning from your email provider, consider adding an SPF text to your DNS.

To get more information about Postfix and its options, check Help Ubuntu.