Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Proper setup to require internal PKI/certificate

6 views
Skip to first unread message

Security Admin (NetSec)

unread,
Mar 17, 2010, 1:05:38 PM3/17/10
to

I currently use Postfix 2.6.5 as mail gateway and Exchange 2007 for internal e-mail.  Right now I have a soft TLS requirement on outbound mail, i.e. Exchange 2007 is setup to  connects via TLS only.  For Postfix to require TLS connection from internal mail server what would I have to change to the following “main.cf” setup:

 

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 

smtpd_use_tls = yes

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_auth_only = no

smtp_tls_security_level = may

## smtpd_tls_ask_ccert = yes

smtpd_tls_key_file = /etc/postfix/ssl/server.key

smtpd_tls_cert_file = /etc/postfix/ssl/server_selfsign.crt

smtpd_tls_CAfile = /etc/postfix/ssl/server_selfsign.crt

# smtpd_tls_CAfile = /usr/share/ssl/certs/ca-bundle.crt

# smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtp_tls_CAfile = /etc/postfix/exchange.pem

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

smtpd_tls_mandatory_ciphers = high

smtpd_tls_loglevel = 2

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache

smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

 

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

 

Note: file “exchange.pem” is the public key of the (internal) root CA.  goal here is to allow ONLY TLS/authenticated internal mail servers to send mail.

 

Thanks in advance!!

 

Edward Ray

Noel Jones

unread,
Mar 17, 2010, 1:53:52 PM3/17/10
to
On 3/17/2010 12:05 PM, Security Admin (NetSec) wrote:
> I currently use Postfix 2.6.5 as mail gateway and Exchange 2007 for
> internal e-mail. Right now I have a soft TLS requirement on outbound
> mail, i.e. Exchange 2007 is setup to connects via TLS only. For Postfix
> to require TLS connection from internal mail server what would I have to
> change to the following “main.cf” setup:
>

Please see
http://www.postfix.org/TLS_README.html#server_access

If you need more help, please refer to:
http://www.postfix.org/DEBUG_README.html#mail

-- Noel Jones

0 new messages