Mail Server : SSL/TLS Setting2025/11/19 |
|
Configure SSL/TLS to encrypt connections. |
|
| [1] | |
| [2] | Configure Postfix and Dovecot. |
|
[root@mail ~]#
vi /etc/postfix/main.cf # line 718, 724 : comment out # smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem# smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
# add to last line (replace certificate to your own one) smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.srv.world/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.srv.world/privkey.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
[root@mail ~]#
vi /etc/postfix/master.cf # line 19, 20, 23 : uncomment submission inet n - n - - smtpd -o syslog_name=postfix/submission # -o smtpd_forbid_unauth_pipelining=no # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # if you use SMTPS (465), add follows to the end smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
[root@mail ~]#
vi /etc/dovecot/dovecot.conf # line 51,52 : specify certificates ssl_server { cert_file = /etc/letsencrypt/live/mail.srv.world/fullchain.pem key_file = /etc/letsencrypt/live/mail.srv.world/privkey.pem[root@mail ~]# systemctl restart postfix dovecot
|
| [3] | If SELinux is enabled, restore context for certificates. |
|
[root@mail ~]# restorecon -v -R /etc/letsencrypt/live/mail.srv.world
|
| [4] | If Firewalld is running, allow SMTP-Submission/SMTPS/POP3S/IMAPS services. SMTP-Submission uses [587/TCP] (used STARTTLS), SMTPS uses [465/TCP], POP3S uses [995/TCP], IMAPS uses [993/TCP]. |
|
[root@mail ~]# firewall-cmd --add-service={smtp-submission,smtps,pop3s,imaps} success [root@mail ~]# firewall-cmd --runtime-to-permanent success |
| [5] | For Client's settings, ( Mozilla Thunderbird ) Open account's property and move to [Server Settings] on the left pane, then Select [STARTTLS] or [SSL/TLS] on [Connection security] field on the right pane. |
|
| [6] | Move to [Outgoing Server] on the left pane, then Select [STARTTLS] or [SSL/TLS] on [Connection security] field. Furthermore, change port to the used port. ([STARTTLS] uses [587], [SSL/TLS] uses 465) |
|
| [7] | Verify possible to send or receive Emails normally. |
|
Matched Content