Today I played a bit with SMTP/s for the sole purpose of getting encrypted communications across the board between 2 or more hosts. I have done a fair few setups before but this one comprises of 2 CentOS hosts, tic on 5.8 and tac on 6.2. In this setup, tac will be the master SMTP/s server. I am using standard CentOS repos with no added sugar. The difference between my usual setups and this one is that you never send unencrypted emails between the two servers.
Firstly, install the 2 servers, then install postfix and the tools to generate the certs yum install postfix crypto-utils mod_ssl. You can then generate the cert on the servers (i would recommend using 2048 rather than 1024 but this is your choice):
genkey --days 365 tac.frlinux.net
Then edit /etc/postfix/main.cf and add the following to your master smtp server (tac in this example), then restart the service:
smtp_tls_security_level = encrypt
smtp_sasl_security_options = noanonymous
smtpd_tls_key_file = /etc/pki/tls/private/tac.frlinux.net.key
smtpd_tls_cert_file = /etc/pki/tls/certs/tac.frlinux.net.crt
smtpd_tls_loglevel = 3
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
For some reason, CentOS 5.8 seems to be behaving differently, so I had to adjust the config to work properly:
smtp_tls_security_level = encrypt smtp_sasl_security_options = noanonymous smtpd_tls_key_file = /etc/pki/tls/private/tic.frlinux.net.key smtpd_tls_cert_file = /etc/pki/tls/certs/tic.frlinux.net.cert smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_use_tls=yes smtpd_tls_auth_only = yes
So one thing to keep in mind is that using encrypt is definitely NOT recommended for internet setups, in which case may is what you want.
Time to test this, I suggest good old telnet to see what is returned. Seeing STARTTLS is a good sign.
[root@tic ~]# telnet tac 25 Trying ... Connected to tac. Escape character is '^]'. 220 tac.frlinux.net ESMTP Postfix EHLO lucifer 250-tac.localdomain 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
Now we can try a full mail and see what the master says. I used logwatch reports directed to root account on the master SMTP:
: initializing the server-side TLS engine /tlsmgr[3931]: open smtpd TLS cache btree:/var/lib/postfix_scache /tlsmgr[3931]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup : connect from unknown[10.66.66.66] : setting up TLS connection from unknown[10.66.66.66] : unknown[10.66.66.66]: TLS cipher list "ALL:+RC4:@STRENGTH" : SSL_accept:before/accept initialization : SSL_accept:SSLv3 write server hello A : SSL_accept:SSLv3 write key exchange A : SSL_accept:SSLv3 write server done A : SSL_accept:SSLv3 flush data : SSL_accept:SSLv3 read client key exchange A : SSL_accept:SSLv3 read finished A : SSL_accept:SSLv3 write change cipher spec A : SSL_accept:SSLv3 write finished A : SSL_accept:SSLv3 flush data : Anonymous TLS connection established : TLSv1 with cipher ADH-AES256-SHA (256/256 bits) : D1A3C1BD9: client=unknown[10.66.66.66] /cleanup[3934]: D1A3C1BD9: message-id=<20120521223615.4D2398DDE5@tic.frlinux.net> /qmgr[3927]: D1A3C1BD9: from=<root@tic.frlinux.net>, size=3840, nrcpt=1 (queue active) : disconnect from unknown[10.66.66.66] /local[3935]: D1A3C1BD9: to=<root@tac.frlinux.net>, status=sent (delivered to mailbox) /qmgr[3927]: D1A3C1BD9: removed
And there you are, full encrypted SMTP/S communications between two postfix hosts.