Client side configuration
Before you begin
This examples assumes that at least some next hops require TLS.
Steps
-
On the protector, open the /etc/postfix/tls_policy file in a text editor.
If the file does not exist, create it.
-
Add this line to the file:
next.hop.domain encrypt
-
Compile the file using the following command:
postmap hash:/etc/postfix/tls_policy
- Open the /etc/postfix/main.cf file in a text editor.
-
Add the following lines to the file:
relayhost = next.hop.domain ## maintained by management !!! ## certs files smtp_tls_cert_file=/etc/pki/tls/certs/mydomain.com.cert smtp_tls_key_file=/etc/pki/tls/private/mydomain.com.key smtp_tls_CAfile=/etc/pki/tls/cert.pem ## policy map smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
-
Run the following command:
postfix reload
Note:- The policy map is required for better granularity. Specifically, Postfix also traverses messages internally (for example, to the pamad plugin), and these transfers should be plain.
- Certificates are very customer-dependent. For this example, 3 PEM files were created:
- mydomain.com.cert
This is the client certificate, not necessarily required by servers.
- mydomain.com.key
This is the client’s private key, sometimes included in client certificate.
- default cert.pem
This is the Certificate Authority (CA) certificate.
- mydomain.com.cert
The following command was used to create the certificate files in this example:
genkey -days 265 $(hostname)
The genkey utility is a part of crypto utilities package, which is not installed by default and should be installed manually or using yum. To install the package with yum, use the following command:
yum install crypto-utils
If package installation is not an option, it is possible to create certificates using the openssl command:
openssl req -new -nodes -keyout myhost.com.key -out req.pem
In this case, sign “req.pem” with a CA and get in return the “myhost.com.cert” and “cert.pem” files.