Configure Postfix to use Let’s Encrypt SSL/TLS Certificate (Debian 8 Jessie)

I just migrated to use Let’s Encrypt certificates instead of paid for certificates and free StartSSL. I also migrated one server to use ISPConfig 3.1 RC1 for the reason of Let’s Encrypt support. This time I decided to go deeper in exploring encrypted SMTP. I had TLS configured with the old certificated, but I had never looked deeper into Postfix configuration. This time I did!

Combing the Internet I found roughly following recommendation:

  • Use CA Assigned certificate for SMTPD – your server
  • Don’t bother for SMTP – client mode

Upon further exploration I found that despite consensus above both Google and Microsoft use CA Certificates for SMTP client connections. So I decided that there is no harm to follow that path.

The below configuration fragment from Postfix /etc/postfix/main.cf assumes that Let’s Encrypt certificate for your host e.g. server.yourdomain.com has already been obtained and installed. The configuration below will use encryption if available, but will fall back to unencrypted connection if TLS is not available. Also note that I have enabled requesting the client certificate ( smtpd_tls_ask_ccert ) by SMTPD, this is not recommended options as there are reports of some broken MTAs that don’t work well with this option. It also does little to increase security as the unencrypted sessions are still allowed in our scenario.

# TLS certificates and private keys
smtpd_tls_cert_file = /etc/letsencrypt/live/server.yourdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server.yourdomain.com/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/server.yourdomain.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/server.yourdomain.com/privkey.pem

#Path to CA file on Debian

smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt


# Opportunistic use of TLS
smtpd_use_tls = yes
smtp_use_tls = yes

# Add TLS info to message headers
smtpd_tls_received_header = yes

# Request client certificate
smtpd_tls_ask_ccert = yes

# Increase the logging for incoming and outgoing
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

# Opportunistic TLS for both server and client

smtpd_tls_security_level = may
smtp_tls_security_level = may

Look at smtpd_tls_CAfile and smtp_tls_CAfile options, this setting points to file on Debian (and Ubuntu) which holds CA certificates. This setting needs to be correct so that certificates presented by servers (or clients) can be verified.

Examining mail log we can see that Anonymous TLS session is established from email client on a PC (Client on PC does not have CA certificate) to our mail server and Trusted TLS sessions are established between servers. Gmail connects to our server as I have sent test email back.

server#tail -1000 /var/log/mail.log

Sep 19 21:47:11 srv postfix/submission/smtpd[24636]: connect from host86-136-35-169.range86-136.btcentralplus.com[86.136.35.169]
Sep 19 21:47:11 srv postfix/submission/smtpd[24636]: Anonymous TLS connection established from host86-136-35-169.range86-136.btcentralplus.com[86.136.35.169]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 19 21:47:11 srv postfix/submission/smtpd[24636]: 8AAD26102A: client=host86-136-35-169.range86-136.btcentralplus.com[86.136.35.169], sasl_method=PLAIN, sasl_username=email@yourdomain.com
Sep 19 21:47:11 srv postfix/cleanup[24645]: 8AAD26102A: message-id=<8bf2732d-e28f-6fc5-4b75-0359e80acb66@yourdomain.com>
Sep 19 21:47:11 srv postfix/qmgr[1409]: 8AAD26102A: from=<email@yourdomain.com>, size=817, nrcpt=1 (queue active)
Sep 19 21:47:11 srv postfix/submission/smtpd[24636]: disconnect from host86-136-35-169.range86-136.btcentralplus.com[86.136.35.169]

Sep 19 21:47:41 srv postfix/smtp[25285]: Trusted TLS connection established to gmail-smtp-in.l.google.com[64.233.166.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 19 21:47:42 srv postfix/smtp[25285]: 8AAD26102A: to=<email@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.166.26]:25, delay=31, delays=0.11/0.02/30/0.37, dsn=2.0.0, status=sent (250 2.0.0 OK 1474318062 2si24521895wmb.81 - gsmtp)
Sep 19 21:47:42 srv postfix/qmgr[1409]: 8AAD26102A: removed

Sep 19 21:48:02 srv postfix/smtpd[25924]: connect from mail-wm0-x233.google.com[2a00:1450:400c:c09::233]
Sep 19 21:48:02 srv postfix/smtpd[25924]: Trusted TLS connection established from mail-wm0-x233.google.com[2a00:1450:400c:c09::233]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 19 21:48:02 srv postfix/smtpd[25924]: AAE8D61007: client=mail-wm0-x233.google.com[2a00:1450:400c:c09::233]
Sep 19 21:48:02 srv postfix/cleanup[24645]: AAE8D61007: message-id=<c305c07e-8bf5-bb4d-d57d-17791a34c02a@gmail.com>
Sep 19 21:48:02 srv postfix/qmgr[1409]: AAE8D61007: from=<email@gmail.com>, size=3117, nrcpt=1 (queue active)
Sep 19 21:48:02 srv postfix/smtpd[25924]: disconnect from mail-wm0-x233.google.com[2a00:1450:400c:c09::233]

Furthermore examining email sources also confirms working configuration:

Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK))

Received: from server.yourdomain.com (server.yourdomain.com [xxx.xxx.xxx.xxx])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "server.yourdomain.com", Issuer "Let's Encrypt Authority X3" (verified OK))

As a last point – following shows Dovecot certificate configuration. This is important if you don’t want IMAP clients to show warning due to use of self signed certificates.

ssl_cert = </etc/letsencrypt/live/server.yourdomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/server.yourdomain.com/privkey.pem

Leave a Reply