Client side configuration

Before you begin

This examples assumes that at least some next hops require TLS.

Steps

  1. On the protector, open the /etc/postfix/tls_policy file in a text editor.
    If the file does not exist, create it.
  2. Add this line to the file:

    next.hop.domain encrypt

  3. Compile the file using the following command:postmap hash:/etc/postfix/tls_policy
  4. Open the /etc/postfix/main.cf file in a text editor.
  5. Add the following lines to the file:
    relayhost = next.hop.domain ## maintained by management !!!
    ## certs files
    smtp_tls_cert_file=/etc/pki/tls/certs/mydomain.com.cert 
    smtp_tls_key_file=/etc/pki/tls/private/mydomain.com.key 
    smtp_tls_CAfile=/etc/pki/tls/cert.pem
    ## policy map
    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
  6. Run the following command:postfix reload
    Note:
    • The policy map is required for better granularity. Specifically, Postfix also traverses messages internally (for example, to the pamad plugin), and these transfers should be plain.
    • Certificates are very customer-dependent. For this example, 3 PEM files were created:
      • mydomain.com.cert

        This is the client certificate, not necessarily required by servers.

      • mydomain.com.key

        This is the client’s private key, sometimes included in client certificate.

      • default cert.pem

        This is the Certificate Authority (CA) certificate.

    The following command was used to create the certificate files in this example:genkey -days 265 $(hostname)

    The genkey utility is a part of crypto utilities package, which is not installed by default and should be installed manually or using yum. To install the package with yum, use the following command:yum install crypto-utils

    If package installation is not an option, it is possible to create certificates using the openssl command: openssl req -new -nodes -keyout myhost.com.key -out req.pem

    In this case, sign “req.pem” with a CA and get in return the “myhost.com.cert” and “cert.pem” files.