Home / Tutorials / How to Install an SSL Certificate / How to Install an SSL Certificate on Postfix?

How to Install an SSL Certificate on Postfix

How to Install an SSL Certificate on Postfix

This guide provides detailed instructions on how to install an SSL Certificate on Postfix mail transfer agent. It also includes useful information on where to buy the best SSL certificate for Postfix.

If you’ve already generated your CSR code, and are looking just for installation guidelines, feel free to skip the first part.

Table of Contents

  1. Generate a CSR Code on Postfix
  2. Install an SSL Certificate on Postfix
  3. Test your Postfix Installation
  4. Where to buy the best SSL certificate for Postfix?

Generate a CSR Code on Postfix

To obtain an SSL Certificate from a trusted CA (Certificate Authority), you must submit a CSR (Certificate Signing Request) to your SSL provider. CSR is a block of encoded text with your contact data such as website and company information.

You have two options:

  1. Use our CSR Generator to create the CSR automatically.
  2. Follow our step-by-step tutorial on how to generate CSR in Postfix.

During the order process with your SSL vendor, you will have to open the CSR file and copy-paste the whole text into the corresponding box. Use any text editor such as Notepad to open the CSR code.

Install an SSL Certificate on Postfix

After your CA validates your SSL request and sends the necessary SSL files to your inbox, you can begin the SSL installation. Please, perform the following:

Step 1. Prepare your SSL files

Postfix supports SSL Certificates in X.509 format. A correct installation requires the following files:

  • Your private key file: you’ve generated the key file along with the CSR code on your server
  • Your primary SSL Certificate: it resides in the ZIP archived folder you’ve received from the CA. Check your email and download, then extract your SSL Certificate. For the purpose of this demonstration, we’ll name the primary SSL certificate file .crt
  • The intermediate CA: this is the CA bundle (.ca-bundle) file from the same ZIP folder as your SSL Certificate. In our case, we’ll name the file intca.crt

Note: you can place all three files in a single directory. For example, /etc/postfix.

Step 2. Add the SSL Certificate to Postfix

Merge the SS Certificate and intermediate CA in a single file by running the following command:

cat ssl.crt intca.crt > server.crt

For the email reception part (SMTP server):

smtpd_tls_cert_file = /path/to/your/server.crt
smtpd_tls_key_file = /path/to/your/privatekey.key
# TLS activation
smtpd_tls_security_level = may	
# recommanded for log details
smtpd_tls_loglevel = 1
# recommanded for tracing TLS headers
smtpd_tls_received_header = yes
smtpd_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = medium
smtpd_tls_protocols = !SSLv2, !SSLv3

For the email delivery part (SMTP client):

smtp_tls_security_level = may
# recommended for having log details
smtp_tls_loglevel = 1
smtp_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
smtp_tls_mandatory_ciphers = high
smtp_tls_ciphers = medium
smtp_tls_protocols = !SSLv2, !SSLv3

Step 3. Edit the master.cf file

Edit the master.cf file and ensure the follow instruction is uncommented

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

Congratulations, you’ve successfully installed an SSL Certificate on Postfix.

Test your SSL Installation

After you install an SSL Certificate on Postfix, it’s always wise to scan your new installation for potential errors or vulnerabilities, just to be on the safe side of things. With these powerful SSL tools, you can get instant reports on all aspects of your SSL Certificate and its configuration.

Where to buy the best SSL Certificate for Postfix?

You’ve already reached the destination! Here, at SSL Dragon, we offer the widest range of SSL products at incredibly low prices. All our certificates are compatible with Postfix mail transfer agent.

Get an SSL certificate now

If you don’t know what certificate to choose, or struggling to find the perfect product for your site, our quick, and intuitive SSL Wizard and Advanced Certificate Filter tools will make the search more efficient and enjoyable.

If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.