10.5: Set up host-specific mandatory TLS in Mail Service
Dec 03, '08 07:30:01AM • Contributed by: SonyaLynn
Dec 03, '08 07:30:01AM • Contributed by: SonyaLynn
I recently had an instance in which a client company was insisting that all email communications between our servers being encrypted with TLS. We're using Leopard Server 10.5.5 (which includes Postfix 4.3.1), but it took some extra tweaking to make it work, so I thought I'd pass it on in case anyone else here ever needs it.
This hint assumes that you have a Leopard Server running Mail Service which needs to be able to receive email from servers out on the Internet, and a security certificate for your mail server. (In Server Admin GUI for Mail Service, that would translate to having SSL set to Use (not Require) for SMTP with the correct certificate selected.) You will need a certificate for this to work, and preferably one issued by a certificate authority.
When we're done, you'll be using Opportunistic TLS (offers TLS but doesn't require it, since most ISP email servers don't use it) for the internet at large and Mandatory TLS just for your specified host(s). Launch Terminal and here we go...
First, create the file /etc/postfix/tls_policy in your Unix text editor of choice with an entry style of one host on each line following the format shown below, as specified in the Postfix config guide page pertaining to TLS:
This hint assumes that you have a Leopard Server running Mail Service which needs to be able to receive email from servers out on the Internet, and a security certificate for your mail server. (In Server Admin GUI for Mail Service, that would translate to having SSL set to Use (not Require) for SMTP with the correct certificate selected.) You will need a certificate for this to work, and preferably one issued by a certificate authority.
When we're done, you'll be using Opportunistic TLS (offers TLS but doesn't require it, since most ISP email servers don't use it) for the internet at large and Mandatory TLS just for your specified host(s). Launch Terminal and here we go...
First, create the file /etc/postfix/tls_policy in your Unix text editor of choice with an entry style of one host on each line following the format shown below, as specified in the Postfix config guide page pertaining to TLS:
example.com encrypt
.example.com encrypt
.example.com entries will apply to all subdomains of example.com, while example.com entries will apply only to that one domain. Next, issue this command:
sudo postmap hash:/etc/postfix/tls_policy
This will create the hashed file /etc/postfix/tls_policy.db. Then append the following lines to the bottom of your /etc/postfix/main.cf file in your text editor of choice:
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
Then just stop and start Mail Service through the Server Admin GUI. This will not interfere with being able to configure other Mail Service preferences through the GUI. Also, note that the .db is left off. Don't ask me why, as I don't know. What I do know is that I was able to successfully mandate TLS with the client's domains using these settings.
•
[13,068 views]
