Adding TLS, SASL, SSL support to Postfix on CentOS

k, so you have a wonderfully working email server. Then you try to send an email from your PC or mobile device, with no joy. Congrads, your email is set up right and postfix is refusing to send out unsecured and/or unauthenticated email.

Time to add some secure authentication.

Add the following to /etc/postfix/

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

Check smtpd_recipient_restrictions in, which I usually put dead last in the file. It needs permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination at a minimum. You can test out sasl if you wish at this point. I didn’t bother, but I like living on the edge. Save your and restart postfix (at the command prompt: postfix reload)

Now run these commands from root.

yum install crypto-utils
genkey –days 1000 mail.domain.tld

I went with the super paranoid encryption level, but that’s me. It’ll take a while to crunch. Don’t encrypt the key. You’d need to input a password at boot, which would be bad. You can sign your key with a CA if you wish, I didn’t see the need to pay to do so for my private email server. The keys should be put in the following locations:


Make sure the private key is owned by root and chmod 600. Verify the files exist.

Now, fire /etc/postfix/ up again and add the following:

smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/pki/tls/private/mail.domain.tld.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.domain.tld.cert
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes # Dork with this setting during testing

Run another postfix reload.

Fire up /etc/dovecot.conf and make sure the following is included:

protocols = imap imaps pop3 pop3s
#disable_plaintext_auth = no
#ssl_disable = no
ssl_cert_file = /etc/pki/tls/certs/mail.domain.tld.cert
ssl_key_file = /etc/pki/tls/private/mail.example.tld.key
ssl_cipher_list = ALL:!LOW:!SSLv2

Restart dovecot. If it squawks, you need to add pop3_uidl_format = %08Xu%08Xv to the pop3 section. Remember to update iptables.

Read More