Turn on TLS on your Postfix email server

So, as someone who runs their own mail server, one of the things I kept noticing was that when sending to GMail, the message arrived, however, there was a red padlock with a cross through it and the message “No encryption”:

From reading about it, GMail turned on the warning message for all servers that didn’t use TLS when sending.

This was a surprise to me as I had thought that TLS was already enabled on the server. It turned out that the encryption was enabled on the “incoming” connection from the mail client, but not for any “upstream” message sending (i.e. when my server is initiating the SMTP protocol).

After a bit of research, I came upon these two links in the Postfix documentation:

http://www.postfix.org/postconf.5.html#smtp_tls_security_level

http://www.postfix.org/TLS_README.html

The key configuration line is:

smtp_tls_security_level = may

Which is a single line in the configuration that turns on “opportunistic TLS”, where “opportunistic” means that our server will encrypt the connection as long as the recipient server supports TLS, as per the documentation:

The SMTP transaction is encrypted if the STARTTLS ESMTP feature is supported by the server. Otherwise, messages are sent in the clear

You can also define a table where you specify encryption settings on a “per recipient domain/server” level (e.g. to say to always use encryption for GMail, but for all others to use opportunistic encryption).

So, after setting the above configuration and reloading the configuration, you can run the test again and verify that the padlock and encryption warning are no longer present.

Setting up a VPS – Part 2 – Postfix Virtual Domain/Users

The next step in setting up the VPS, was installing and configuring the mail server. For this job, I’ve gone with the current king of MTA’s – Postfix. The basic approach I’ve gone with when setting this up is to start simple and then add functionality bit by bit. In order to do this I’ve basically followed the guide found here. In the end I’ve ended up with support for virtual domains (seperate domains) and virtual users (non-UNIX users) with a flat file backend. I don’t have much to add to this tutorial, except to point out that in the setup where it says ‘virtual_uid_maps = static:5000’ – this means that the process which is trying to deliver the message (i.e. write to disk and create any files/folders necessary) will be running as this user. So, there’s no point in setting it to 5000, unless there is a user with that id, which has write access to the virtual domain folder.

I’ve also had to add some directives to prevent the mail server being flooded with spam. Directives which check that the server comes from a FQDN as well as checking that the IP Address isn’t on any blacklists. i.e.

# Wait until the RCPT TO command before evaluating restrictions
smtpd_delay_reject = yes

# Basics Restrictions
smtpd_helo_required = yes
strict_rfc821_envelopes = yes

# Requirements for the connecting server
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
permit

# Requirements for the HELO statement
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit

# Requirements for the sender address
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

# Requirement for the recipient address
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit

These directives originally came from the email section of an article on howtoforge.com about setting up Mandriva Directory Server.

There’s still a lot of work to go with setting up this email server, I haven’t even got to setting up Dovecot and SASL. Then I want to set up Amavis and combine it with ClamAV and SpamAssassin(with Baysian filtering and feedback). I also need to setup DKIM, both for signing mail coming from the server and for checking incoming DKIM messages and ofcourse as always there’s a need for a decent web front end, to enable you to check your mail. I’ve been hearing good things about Google Apps, but I don’t know anyone that’s set it up on their own servers. I wonder whether that’s even possible or whether you have to use google’s mail servers?

So many technologies, so little time… and this is only setting up the email 🙂