/munetakaJupyterHub/Computer/2024/Postfix/01-07-TLS-postfix.md

§2024-04-28

Configure TLS

Next, generate or obtain a digital certificate for TLS. MUAs connecting to your mail server via TLS will need to recognise the certificate used for TLS. This can either be done using a certificate from Let’s Encrypt, from a commercial CA or with a self-signed certificate that users manually install/accept.

For MTA-to-MTA, TLS certificates are never validated without prior agreement from the affected organisations. For MTA-to-MTA TLS, there is no reason not to use a self-signed certificate unless local policy requires it. See our guide on security certificates for details about generating digital certificates and setting up your own Certificate Authority (CA).

Once you have a certificate, configure Postfix to provide TLS encryption for both incoming and outgoing mail:

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem'
sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'myhostname = h2jammy.yushei.net'

sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/server.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/server.crt'

If you are using your own Certificate Authority to sign the certificate, enter:

sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'

Again, for more details about certificates see our security certificates guide.

when setting up TLS for postfix, if I used let's ecrypt and generated,

Successfully received certificate.
    Certificate is saved at: /etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem
    Key is saved at:         /etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem

Where to put in in postfix main.cf ??

Using

sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem'
sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem'

Is this OK?

============================================
Apr 28 15:12:12 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=114.33.29.69, lip=192.168.16.248, mpid=27784, session=<9qAS2yIX7qRyIR1F>
Apr 28 15:12:12 h2Jammy dovecot: imap(alexlai)<27784><9qAS2yIX7qRyIR1F>: Disconnected: Logged out in=394 out=3747 deleted=0 expunged=0 trashed=0 hdr_count=2 hdr_bytes=1904 body_count=0 body_bytes=0
Apr 28 15:12:12 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=114.33.29.69, lip=192.168.16.248, mpid=27786, session=<OREW2yIX4IxyIR1F>
Apr 28 15:12:12 h2Jammy dovecot: imap(alexlai)<27786><OREW2yIX4IxyIR1F>: Disconnected: Logged out in=87 out=661 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Apr 28 15:12:15 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=210.242.152.235, lip=192.168.16.248, mpid=27790, TLS, session=<EUhM2yIXws3S8pjr>
Apr 28 15:12:16 h2Jammy dovecot: imap(alexlai)<27790><EUhM2yIXws3S8pjr>: Disconnected: Logged out in=394 out=3747 deleted=0 expunged=0 trashed=0 hdr_count=2 hdr_bytes=1904 body_count=0 body_bytes=0
Apr 28 15:12:16 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=210.242.152.235, lip=192.168.16.248, mpid=27792, TLS, session=<ALtY2yIX0M3S8pjr>
Apr 28 15:12:16 h2Jammy dovecot: imap(alexlai)<27792><ALtY2yIX0M3S8pjr>: Disconnected: Logged out in=87 out=661 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
========================================Apr 28 15:12:42 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=114.33.29.69, lip=192.168.16.248, mpid=27804, session=<PRjm3CIXduVyIR1F>
Apr 28 15:12:43 h2Jammy dovecot: imap(alexlai)<27804><PRjm3CIXduVyIR1F>: Disconnected: Logged out in=394 out=3747 deleted=0 expunged=0 trashed=0 hdr_count=2 hdr_bytes=1904 body_count=0 body_bytes=0
Apr 28 15:12:43 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=114.33.29.69, lip=192.168.16.248, mpid=27806, session=<1Yzs3CIXeOVyIR1F>
Apr 28 15:12:43 h2Jammy dovecot: imap(alexlai)<27806><1Yzs3CIXeOVyIR1F>: Disconnected: Logged out in=87 out=661 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Apr 28 15:12:47 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=210.242.152.235, lip=192.168.16.248, mpid=27809, TLS, session=</ws13SIX8M/S8pjr>
Apr 28 15:12:48 h2Jammy dovecot: imap(alexlai)<27809></ws13SIX8M/S8pjr>: Disconnected: Logged out in=394 out=3747 deleted=0 expunged=0 trashed=0 hdr_count=2 hdr_bytes=1904 body_count=0 body_bytes=0
Apr 28 15:12:48 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=210.242.152.235, lip=192.168.16.248, mpid=27811, TLS, session=<0xQ+3SIX+s/S8pjr>
Apr 28 15:12:48 h2Jammy dovecot: imap(alexlai)<27811><0xQ+3SIX+s/S8pjr>: Disconnected: Logged out in=87 out=661 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0