Server side configuration
Before you begin
The example assumes that at least some previous hops require TLS:
Steps
- Open the /etc/postfix/main.cf file in a text editor.
-
Add the following lines to the file:
smtpd_tls_cert_file = /opt/websense/PolicyEngine/allcerts.cer smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_ciphers = high smtpd_tls_ciphers = high tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = no smtpd_tls_dh1024_param_file = /etc/postfix/dhparam.pem
-
Run the following command:
postfix reload && openssl dhparam -out /etc/postfix/dhparam.pem 2048
Note:- This sample uses the protector’s certificates. Some clients (previous hops) may require this certificate to be trusted by a known CA.
- Optionally, a private key is included in the certificate file.
- In this sample, the security level is set to enable TLS, but not make it mandatory. This can be changed.
For further details, see: http://www.postfix.org/TLS_README.html and http://www.postfix.org/postconf.5.html.