SMTP Authentication And Encryption help

I was reading some posts here but I am still confused.
I’m not strog on this issues.
I have a dedicated server (Fedora8) with a few virtual hosts.
I need to secure Postfix-SMTP, Enable TLS encryption to prevent spam sendings from eventual hijackers.
The only certificate I have installed is one created by me with Webmin module to access cp via https.
I need some basic data on how to start on this, which kind of certificate I need, if it would be enough the free one from
Thanks a lot in advance.

PS: from I have ssl.key(decripted) ssl.crt and ssl.csr<br><br>Post edited by: marciano, at: 2009/05/24 04:53


Well, there is a self-signed certificate installed and setup for you by default within Postfix.

To start using it, you only need enable SMTPS and Submission in Postfix (which use ports 465 and 587).

To do that, you can uncomment the lines described here:

When you restart Postfix, you can than configure your email client to use a secure connection with your outgoing SMTP.

If you ever opt to buy a commercial SSL certificate. you can always use that in place of the existing self-signed cert.

Hello Eric, thanks for your reply.
At the same time you were posting it I was editing my first one.
Would it be better to use those files from than those already installed?
Thank you

(I couldn’t edit last post -> Oops! You’ve hit a bug in the forum software. We already know about the problem. Apologies for the inconvenience.)

So I have to open those port for outbound in my afp firewall…

UDP too?

No, they’re only TCP ports.

I’m not really familiar with startssl certificates. If it’s free, then no, there wouldn’t really be an advantage to that over what’s already available in Postfix.

Actually, it looks like they are accepted by browsers. I assume they are chained certificates, similar to the ones GoDaddy and others sell for ten to twenty bucks per year. I dunno. Research would be needed. But they look like actual certificates with real browser support.

… and inbound

I also have added these lines to

submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

As I understand this is a secure way to send mail from client. Isn’t it?
Actually I want to prevent any stranger script to send bulk mail using mail() from a php script or something similar.
Anyway, after performing those changes in and conf.apf (restarted both)
I’ve set my client SMTP server (Thunderbird mail) to SSL and port 465. Then I get:
The server is refusing SMTP connections
Returning to ‘TLS if available’ sendings go well.
Thank you both Joe and Eric

So you said you restarted Postfix after making those changes to the file?

If you log in over SSH, and type "netstat -an | grep :465" – do you get any output?

Enabling the above allows remote clients to securely connect to your server, over both an authenticated and encrypted connection, to send email.


Yes, Postfix has been restarted. From the maillog I also got this:
daemon started – version 2.5.5, configuration /etc/postfix
May 26 17:16:55 postfix/qmgr[15645]: warning: bounce_queue_lifetime is larger than maximal_queue_lifetime - adjusting bounce_queue_lifetime

tcp 0 0* LISTEN

Can you verify that port 465 is visible externally?

You can try telnet’ing into that port from another system, for example.

There’s a problem here.
From local
% telnet localhost 465
Connected to localhost.
Escape character is ‘^]’.
Connection closed by foreign host.

From outside is the same changing localhost by
Thank you

Yup, that shouldn’t disconnect.

So what shows up in the email log whenever you try connecting like that?

warning: No server certs available. TLS won’t be enabled
May 27 16:02:58 postfix/smtpd[4117]: connect from unknown[]
May 27 19:02:58 postfix/smtpd[4117]: warning: Wrapper-mode request dropped from unknown[
] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.
May 27 19:02:58 postfix/smtpd[4117]: disconnect from unknown[***]

It sounds like your Postfix file may be awry.

You may want to look in there and make sure that the SSL/TLS goodies are setup correctly.

That’s normally done for you when installing Virtualmin with the – if you installed manually, then those may not be setup yet.

If you aren’t certain what’s wrong, you could always post your /etc/postfix/ file.

This file has been modified a few times but I don’t remember if it went from Virtualmin installation.
Thank you.

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.5/samples
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES

virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail

#mailbox_command = /usr/bin/procmail -t /etc/procmailrc
#mailbox_command = procmail-wrapper -o -a $DOMAIN -d $LOGNAME
#mailbox_command = procmail -a "$EXTENSION"
#mailbox_command = procmail -t /etc/procmailrc
ipc_idle = 10s
notify_classes = resource, software
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname

#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#relayhost = [mail.***.com]

######### from
queue_directory = /var/spool/postfix
mail_owner = postfix
data_directory = /var/lib/postfix

#added March 6, 2009
#inet_interfaces = localhost
#inet_protocols = all
proxywrite_service_name = proxywrite
maximal_queue_lifetime = 2d

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Oh, and before I tear into your config too much, are you running saslauthd?

If not, you need to have that up and running:

/etc/init.d/saslauthd start

You were right, it was not running.
Anyway still errors sending mails in SSL (465)

May 27 22:50:35 postfix/smtpd[686]: warning: No server certs available. TLS won’t be enabled
May 27 22:50:35 postfix/smtpd[686]: connect from unknown[]
May 28 01:50:35 postfix/smtpd[686]: warning: Wrapper-mode request dropped from unknown[
] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.

Ah, that went okay. Thanks!

I am looking both received test mail headers sent with and w/o ssl
The noticeable thing was that mail sent with cert does not content spamassassin filtering headers like the other sent without cert.
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
X-Spam-Status: No, score=-104.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,

Do I care about this?

And back to my first post.
Is it possible to force every user to send mail using ssl?
Does it worth to prevent massive spam sending from a strange script (php, cgi or other)?
Or there’s another way to prevent this devil?
Thanks again.