Contact us at |
  • install an SSL Certificate on Postfix

How to install an SSL Certificate on Postfix?

Thursday, April 4th, 2019

This guide provides detailed instructions on how to generate a CSR code and install an SSL Certificate on Postfix mail transfer agent. It also includes a few interesting facts about Postfix, as well as useful information on where to buy the best SSL certificate for Postfix.

If you’ve already generated your CSR code, and are looking just for installation guidelines, feel free to skip the first part. For easier navigation between sections, use the links below:

Generate a CSR Code on Postfix
Install an SSL Certificate on Postfix
Test your Postfix Installation
Postfix history and versions
Where to buy the best SSL certificate for Postfix?

Generate a CSR Code on Postfix

To obtain an SSL Certificate from a trusted CA (Certificate Authority) ,you must submit a CSR (Certificate Signing Request) to your SSL provider. CSR is a block of encoded text with your contact data such as website and company information.

Since Postfix doesn’t encrypt individual emails, but the communication between clients and servers, the optimal way to generate a CSR is via the OpenSSL utility. It should already be installed on your server, but if it isn’t, you can get OpenSSL from here.

Please, follow the steps below to create your CSR Code:

  1. Run the following command:
    openssl req -new -newkey rsa:2048 -nodes -out certreq.txt -keyout private.key
  2. In the OpenSSL wizard, enter your contact information:
    • Country Name: specify the two-letter code of your country. For instance, US or UK.
    • State or Province: name the state where your company is located. For example, Georgia
    • Locality: enter the city where your company is registered. For example, Atlanta
    • Organization Name: write the full legal name of your company. For instance, You Company LLC
    • Organizational Unit: enter the name of the department within your company requesting the SSL certificate. It could be IT or Web Administration
    • Common Name: specify the FQDN (fully-qualified domain name) you want to secure with an SSL Certificate. For example,
    • Email address: provide a valid email address
    • Challenge password: you can leave this field blank
    • An optional company name: you can leave this field blank
  3. The OpenSSL utility will now generate and store your CSR and private key files on your server
  4. During the order process with your SSL vendor, you will have to open the CSR file and copy-paste the whole text into the corresponding box. Use any text editor such as Notepad to open the CSR code.

Install an SSL Certificate on Postfix

After your CA validates your SSL request and sends the necessary SSL files to your inbox, you can begin the SSL installation. Please, perform the following:

Prepare your SSL files

Postfix supports SSL Certificates in X.509 format. A correct installation requires the following files:

  • Your private key file: you’ve generated the key file along with the CSR code on your server
  • Your primary SSL Certificate: it resides in the ZIP archived folder you’ve received from the CA. Check your email and download, then extract your SSL Certificate. For the purpose of this demonstration, we’ll name the primary SSL certificate file .crt
  • The intermediate CA: this is the CA bundle (.ca-bundle) file from the same ZIP folder as your SSL Certificate. In our case, we’ll name the file intca.crt

Note: you can place all three files in a single directory. For example, /etc/postfix.

To add the SSL Certificate to Postfix, follow the steps below:

Merge the SS Certificate and intermediate CA in a single file by running the following command:
cat ssl.crt intca.crt > server.crt

For the email reception part (SMTP server):

smtpd_tls_cert_file = /path/to/your/server.crt
smtpd_tls_key_file = /path/to/your/privatekey.key
# TLS activation
smtpd_tls_security_level = may	
# recommanded for log details
smtpd_tls_loglevel = 1
# recommanded for tracing TLS headers
smtpd_tls_received_header = yes
smtpd_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = medium
smtpd_tls_protocols = !SSLv2, !SSLv3

For the email delivery part (SMTP client):

smtp_tls_security_level = may
# recommended for having log details
smtp_tls_loglevel = 1
smtp_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
smtp_tls_mandatory_ciphers = high
smtp_tls_ciphers = medium
smtp_tls_protocols = !SSLv2, !SSLv3

Edit the file and ensure the follow instruction is uncommented

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

Congratulations, you’ve successfully installed an SSL Certificate on Postfix.

Test your SSL Installation

After you install an SSL Certificate on Postfix, it’s always wise to scan your new installation for potential errors or vulnerabilities, just to be on the safe side of things. With these powerful SSL tools, you can get instant reports on all aspects of your SSL Certificate and its configuration.

Postfix history and versions

Postfix is a free and open-source MTA (mail transfer agent) that routes and delivers electronic mail. Developed by Wietse Venema in 1997, Postfix is currently released under the IBM Public License 1.0 and Eclipse Public License 2.0.

Listed below are the latest supported Postfix releases:

  • Postfix 3.2
  • Postfix 3.1
  • Postfix 3.0
  • Postfix 2.11

Where to buy the best SSL Certificate for Postfix?

You’ve already reached the destination! Here, at SSL Dragon, we offer the widest range of SSL products at incredibly low prices. All our certificates are compatible with Postfix mail transfer agent. Browse the list below to find the SSL type you need:

If you don’t know what certificate to choose, or struggling to find the perfect product for your site, our quick, and intuitive SSL Wizard and Advanced Certificate Filter tools will make the search more efficient and enjoyable.

If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.