Part 9. Encrypt mail traffic

The list of articles cycle


It's quite dangerous to use unencrypted traffic on the mail server.This is not due to the interception of emails, but to the fact that an attacker can intercept a user's login and password from a user and use this information to send spam messages.

Encryption uses SSL certificates. If we can buy a certificate from a certification authority - then buy, if not, generate self-signed certificate. This is done by the command:

openssl req -new -nodes -x509 -out smtpd.pem -keyout smtpd.pem -days 3650

The req command forces OpenSSL to create a certificate.

Parameters of this command:

-new - Create a certificate request

-nodes - do not encrypt a private key

-x509 (спільно з -new) - create self-signed certificate

-keyout - Specifies the location of the private key,

-out - specifies the location of the self-signed certificate,

-days - Specifies the validity period of the certificate (365x10 days, which is approximately equal to ten years).


In the process of executing a command, will be asked to enter such parameters as: Country Name, State or Province Name; Locality Name; Organization Name; Organizational Unit Name; Common Name; Email Address. The most important parameter is Common Name. In our case, it should be the same as the FQDN-name of the server, on which clients will be contacted by the server for sending and receiving mail.



Traffic Encrypting in Postfix

Now set up Postfix work with certificates

In the /etc/postfix/ file add lines


smtpd_tls_auth_only = yes

smtp_use_tls = yes

smtpd_use_tls = yes



smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache

smtp_tls_note_starttls_offer = yes


If you were given a root trusted certificate when you purchased your certificate, we add a line to the file:

smtpd_tls_CAfile = /etc/postfix/root.crt


Explaining the parameters

smtp_use_tls - use TLS, if the remote server announces TLS support,

smtpd_use_tls - inform clients about TLS support,

smtpd_tls_auth_only - Use SMTP authentication only for TLS connections,

smtpd_tls_key_file - The location of the private server key,

smtpd_tls_cert_file - server certificate location,

smtpd_tls_session_cache_database - The file with the tls session cache

smtp_tls_note_starttls_offer - record in logs the names of the servers issuing the STARTTLS message, the TLS support for which is not enabled.

smtpd_tls_CAfile - trusted certificate location


SMTP submission on

In the /etc/postfix/ file, we will add (or uncomment) the following lines


submission inet n - - - - smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_relay_restrictions=permit_sasl_authenticated,reject



The server administrators choose which port they will use your customers to relay outgoing mail - 25 or 587. Specifications and many servers support both ports. Although some servers support port 465 for secure SMTP, it is better to use standard ports and ESMTP commands when it is necessary to establish a secure session between the client and the server.

Differences between ports 25, 465, 587. The connection must open immediately with TLS/SSL encryption on the 465 port. Port 587 works the same way as the 25: open connection, and the STARTTLS command is provided to enable encryption, if the server has declared such option in response to EHLO from the client. SMTPS (port 465) is an older standard, STARTTLS is newer one and, of course, more flexible.



Dovecot configuring.

For Dovecot can generate a new certificate and key or can use the same as for Postfix. In the case of purchasing certificates, certificates are likely to be the same.

In the file /etc/dovecot/conf.d/10-ssl.conf let’s write the parameters:


#Enable encryption support

ssl = yes

#Specify the path to the files with the private key and the certificate

ssl_cert = </etc/postfix/smtpd.pem

ssl_key = </etc/postfix/smtpd.pem


After that, you need to restart Postfix and Dovecot

service postfix restart

service dovecot restart


Now our mail server supports encrypted connections. For customers, port 587 for sending e-mails and port 993 for encrypted IMAP are available.


The list of articles cycle


You can buy the book

"Mail server based on Postfix,

Dovecot and RoundCube"

in electronic form in the store