Secure SMTP between CentOS servers

Today I played a bit with SMTP/s for the sole purpose of getting encrypted communications across the board between 2 or more hosts. I have done a fair few setups before but this one comprises of 2 CentOS hosts, tic on 5.8 and tac on 6.2. In this setup, tac will be the master SMTP/s server. I am using standard CentOS repos with no added sugar. The difference between my usual setups and this one is that you never send unencrypted emails between the two servers.

Firstly, install the 2 servers, then install postfix and the tools to generate the certs yum install postfix crypto-utils mod_ssl. You can then generate the cert on the servers (i would recommend using 2048 rather than 1024 but this is your choice):

genkey --days 365

Then edit /etc/postfix/ and add the following to your master smtp server (tac in this example), then restart the service:

smtp_tls_security_level = encrypt
smtp_sasl_security_options = noanonymous
smtpd_tls_key_file = /etc/pki/tls/private/
smtpd_tls_cert_file = /etc/pki/tls/certs/
smtpd_tls_loglevel = 3
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

For some reason, CentOS 5.8 seems to be behaving differently, so I had to adjust the config to work properly:

smtp_tls_security_level = encrypt
smtp_sasl_security_options = noanonymous
smtpd_tls_key_file = /etc/pki/tls/private/
smtpd_tls_cert_file = /etc/pki/tls/certs/
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes

So one thing to keep in mind is that using encrypt is definitely NOT recommended for internet setups, in which case may is what you want.

Time to test this, I suggest good old telnet to see what is returned. Seeing STARTTLS is a good sign.

[root@tic ~]# telnet tac 25
Trying ...
Connected to tac.
Escape character is '^]'.
220 ESMTP Postfix
EHLO lucifer
250-SIZE 10240000
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.

Now we can try a full mail and see what the master says. I used logwatch reports directed to root account on the master SMTP:

: initializing the server-side TLS engine
/tlsmgr[3931]: open smtpd TLS cache btree:/var/lib/postfix_scache
/tlsmgr[3931]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
: connect from unknown[]
: setting up TLS connection from unknown[]
: unknown[]: TLS cipher list "ALL:+RC4:@STRENGTH"
: SSL_accept:before/accept initialization
: SSL_accept:SSLv3 write server hello A
: SSL_accept:SSLv3 write key exchange A
: SSL_accept:SSLv3 write server done A
: SSL_accept:SSLv3 flush data
: SSL_accept:SSLv3 read client key exchange A
: SSL_accept:SSLv3 read finished A
: SSL_accept:SSLv3 write change cipher spec A
: SSL_accept:SSLv3 write finished A
: SSL_accept:SSLv3 flush data
: Anonymous TLS connection established : TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
: D1A3C1BD9: client=unknown[]
/cleanup[3934]: D1A3C1BD9: message-id=<>
/qmgr[3927]: D1A3C1BD9: from=<>, size=3840, nrcpt=1 (queue active)
: disconnect from unknown[]
/local[3935]: D1A3C1BD9: to=<>, status=sent (delivered to mailbox)
/qmgr[3927]: D1A3C1BD9: removed

And there you are, full encrypted SMTP/S communications between two postfix hosts.