Ubuntu: How to setup TLS on postfix and dovecot

[Diablo925]

NOTICE: This is an old guide, but may still work. You can skip to Step 3 and use your panel certificates.
Update the certificate paths to point to your panel certificates:
Example: /var/sentora/hostdata/zadmin/ssl/sencrypt/letsencrypt/panel.domain.com/

How to setup TLS on Postfix and dovecot

1: first make a folder in postfix call ssl

Code:

mkdir /etc/postfix/ssl

2: Run openssl and follow the screen

Code:

openssl req -new -x509 -days 365 -nodes -out /etc/postfix/ssl/mail.domain.tld.crt -keyout /etc/postfix/ssl/mail.domain.tld.key

And

Code:

openssl req -new -x509 -extensions v3_ca -keyout /etc/postfix/ssl/cakey.pem -out /etc/postfix/ssl/cacert.pem -days 3650

Code:

Country Name (2 letter code) [AU]:DK
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:City name
Organization Name (eg, company) [Internet Widgits Pty Ltd]:company
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:mail.domain.tld
Email Address []:e-mail

3: Configure Postfix

Code:

nano /etc/postfix/main.cf

4: find # tls config and add

Code:

# tls config


smtp_use_tls = no
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_tls_key_file = /etc/postfix/ssl/mail.domain.tld.key
smtpd_tls_cert_file = /etc/postfix/ssl/mail.domain.tld.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

remove any things else under # tls config
and save and close

5: edit master.cf

Code:

nano /etc/postfix/master.cf

add after " smtp      inet  n       -       n       -       -       smtpd "

Code:

  
 submission   inet  n       -       n       -       -       smtpd

6: configure Dovecot

Code:

nano /etc/dovecot/dovecot.conf

and change

Code:

ssl = no to ssl = yes
add
ssl_cert = </etc/postfix/ssl/mail.domain.tld.crt
ssl_key = </etc/postfix/ssl/mail.domain.tld.key
ssl_ca = </etc/postfix/ssl/cacert.pem

and save and close

7: now we need to restart postfix and dovecot

Code:

service postfix restart
service dovecot restart

now you can use TLS

[Diablo925]

Made an update so now Works on ubuntu 14.04

[kineticsnc]

How to setup TLS on Postfix and dovecot
[...]

but this guide is for a single domain? ... And for others?
or "domain.tld" should be replaced with, in my case, vpsXXXXX.ovh.net?

[Diablo925]

Yes it is 1 domain

[Me.B]

You will setup TLS on main server MX reverse, you can't setup an SSL for every domain!

M B

[kineticsnc]

I have a vps with multiple domains, how should I do?

[Me.B]

you setup only TLS on main domain used for reverse! and you point to it using MX instead of each having another MX.

M B

[adrianknight]

The mails from my server are send from the Hostname of the server (hostname.domain.tld) and the MX record point to mail.domain.tld.

I pointed the PTR to mail.domain.tld but now changed it to hostname.domain.tld because first I thought the mails are send from mail.domain.tld.

Now where should I setup the TLS to? mail.domain.tld (Which is pointed by the MX record) or hostname.domain.tld (Which is the sender of the emails)?

Thank you

[apinto]

I have my TLS setup on the mx.domain.tld
Use this test to check if your TLS ison the right domain:
http://checktls.com/perl/TestReceiver.pl

You should see something simlar to this:
Cert VALIDATED: ok
Cert Hostname VERIFIED (mail.domain.tld = mail.domain.tld)

[adrianknight]

I have my TLS setup on the mx.domain.tld
Use this test to check if your TLS ison the right domain:
http://checktls.com/perl/TestReceiver.pl

You should see something simlar to this:
Cert VALIDATED: ok
Cert Hostname VERIFIED (mail.domain.tld = mail.domain.tld)

Thank you! That worked. I got my TLS setup on mail.domain.tld too