Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Set up host-specific mandatory TLS in Mail Service OS X Server
I recently had an instance in which a client company was insisting that all email communications between our servers being encrypted with TLS. We're using Leopard Server 10.5.5 (which includes Postfix 4.3.1), but it took some extra tweaking to make it work, so I thought I'd pass it on in case anyone else here ever needs it.

This hint assumes that you have a Leopard Server running Mail Service which needs to be able to receive email from servers out on the Internet, and a security certificate for your mail server. (In Server Admin GUI for Mail Service, that would translate to having SSL set to Use (not Require) for SMTP with the correct certificate selected.) You will need a certificate for this to work, and preferably one issued by a certificate authority.

When we're done, you'll be using Opportunistic TLS (offers TLS but doesn't require it, since most ISP email servers don't use it) for the internet at large and Mandatory TLS just for your specified host(s). Launch Terminal and here we go...

First, create the file /etc/postfix/tls_policy in your Unix text editor of choice with an entry style of one host on each line following the format shown below, as specified in the Postfix config guide page pertaining to TLS:
example.com       encrypt
.example.com      encrypt
.example.com entries will apply to all subdomains of example.com, while example.com entries will apply only to that one domain. Next, issue this command:
sudo postmap hash:/etc/postfix/tls_policy
This will create the hashed file /etc/postfix/tls_policy.db. Then append the following lines to the bottom of your /etc/postfix/main.cf file in your text editor of choice:
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
Then just stop and start Mail Service through the Server Admin GUI. This will not interfere with being able to configure other Mail Service preferences through the GUI. Also, note that the .db is left off. Don't ask me why, as I don't know. What I do know is that I was able to successfully mandate TLS with the client's domains using these settings.
    •    
  • Currently 2.40 / 5
  You rated: 5 / 5 (10 votes cast)
 
[13,075 views]  

10.5: Set up host-specific mandatory TLS in Mail Service | 0 comments | Create New Account
Click here to return to the '10.5: Set up host-specific mandatory TLS in Mail Service' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.