Client side configuration

Before you begin

This examples assumes that at least some next hops require TLS.

Steps

On the protector, open the /etc/postfix/tls_policy file in a text editor.
If the file does not exist, create it.
Add this line to the file:

next.hop.domain encrypt
Compile the file using the following command:postmap hash:/etc/postfix/tls_policy
Open the /etc/postfix/main.cf file in a text editor.

Add the following lines to the file:

relayhost = next.hop.domain ## maintained by management !!!
## certs files
smtp_tls_cert_file=/etc/pki/tls/certs/mydomain.com.cert 
smtp_tls_key_file=/etc/pki/tls/private/mydomain.com.key 
smtp_tls_CAfile=/etc/pki/tls/cert.pem
## policy map
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

Run the following command:postfix reload
Note:
- The policy map is required for better granularity. Specifically, Postfix also traverses messages internally (for example, to the pamad plugin), and these transfers should be plain.
- Certificates are very customer-dependent. For this example, 3 PEM files were created:
  - mydomain.com.cert
    This is the client certificate, not necessarily required by servers.
  - mydomain.com.key
    This is the client’s private key, sometimes included in client certificate.
  - default cert.pem
    This is the Certificate Authority (CA) certificate.
The following command was used to create the certificate files in this example:genkey -days 265 $(hostname)

The genkey utility is a part of crypto utilities package, which is not installed by default and should be installed manually or using yum. To install the package with yum, use the following command:yum install crypto-utils

If package installation is not an option, it is possible to create certificates using the openssl command: openssl req -new -nodes -keyout myhost.com.key -out req.pem

In this case, sign “req.pem” with a CA and get in return the “myhost.com.cert” and “cert.pem” files.