Install a New Linux OS On a Dell Wyse 3040

Install a New Linux OS On a Dell Wyse 3040
Adding an NVMe Drive to a Raspberry Pi 5

Adding an NVMe Drive to a Raspberry Pi 5
Fixing VS Code Remote Node Not Found Error

Fixing VS Code Remote Node Not Found Error
Convert a Wii U Dock to USB C

Convert a Wii U Dock to USB C
Fixing a Stuck ‘A’ Button on a PDP Xbox One Controller

Fixing a Stuck ‘A’ Button on a PDP Xbox One Controller
Repairing a Faulty Motherboard

Repairing a Faulty Motherboard

Adding SSL to your Postfix Email Server

Content:

Adding an SSL certificate to your Postfix configuration encrypts emails sent from your server.

It’s recommended to add encryption to your email server, to improve privacy. Encrypting emails will prevent your messages from being read, should an intruder intercept them.

It’s commonplace for emails to be encrypted, with major services such as Gmail and Outlook protecting the content of their emails in this way.

This guide will assume you already have Postfix up and running. If this is not the case, check out our article to get you started.

Generating SSL Certificates

To create the SSL certificates needed, we’ll be using OpenSSL. It’s likely that you have OpenSSL installed already – if not, you’ll need to install it.

apt install openssl    # Debian, Ubuntu, Raspberry Pi OS
dnf install openssl    # Red Hat, Fedora, CentOS

With OpenSSL installed, the required certificate can be generated using the following command.

openssl req -nodes -newkey rsa:2048 -keyout example.com.key -out example.com.csr

Replace example.com with the name you wish to use for your key. It doesn’t matter what you choose, just be sure to remember it later on.

You’ll be prompted for a few extra details – there are no wrong answers here, simply enter the data you want to attach to your certificate.

With that complete, you should find the two files have been created. One, with the extension .csr, is the certificate file. The other, ending in .key, is the accompanying key.

Configuring Postfix

To store these certificates, create a new directory in your Postfix folder.

mkdir /etc/postfix/ssl

Move the generated files to this new folder.

mv example.com.key /etc/postfix/ssl
mv example.com.csr /etc/postfix/ssl

Postfix now needs to be configured to make use of the new certificate files.

To make it easier to add configuration options, Postfix includes a configuration tool called postconf. As before, replace the name of the key and certificate files with the name chosen earlier.

postconf -e 'smtp_tls_security_level = may'
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/example.com.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/example.csr'

The first two parameters tell Postfix to use TLS when the sever on the other end accepts TLS connections. This is applied to both incoming (smtp) and outgoing (smtpd) connections.

Some guides will include other parameters, such as smtpd_tls_session_cache_timeout. Often, the default Postfix value is repeated (e.g. ‘smtpd_tls_session_cache_timeout = 3600s’), which essentially changes nothing. For this reason, such parameters are excluded here.

Restart Postfix, to ensure the changes take effect.

systemctl restart postfix

Testing

To test the SSL certificate, send an email from your server to another email account. Ensure that the destination email account exposes the message headers.

Take a look at the ‘Received’ line in the email header.

Received: from example.com ([12.34.56.78])
    by recipient.com with esmtps (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

You should see mention of TLS, with a TLS cypher name listed. If so, your SSL setup has been successful.

If this is not the case, double check the paths entered for smtpd_tls_key_file and smtpd_tls_cert_file.