Postfix certificate verify howto

Version:	0.8
Author:	maxigas*anargeek.net
Update:	2010.03.15

Warning: Beta version, needs peer review and further testing. It seems to work for me, nontheless.

How to connect two Postfix servers running on Debian systems to send mails between themselves through SSL with verifying the certificates that were issues by a certificate authority (here cacert.org)?

Note: you need to know basic unix commands and get around a text editor like nano / emacs / vi (I use emacs but I wrote nano in the instructions below because that is the most user friendly).

Documentation:

The basis of this howto is the postfix and cacert IRC channels, Postfix documentation, forums and lists. Special thanks to Dan.

Postfix TLS readme (part of postfix package, locally available at /usr/share/doc/postfix/TLS_README.gz)
CAcert wiki: Postfix-TLS/Cyrus-SSL Configuration (uses some deprecitated Postfix syntax)
Postfix TLS with free CAcert.org certificates

Check DNS records:

MX records have to be set, for example mail.example1.org mail.example2.org

Install and configure postfix:

apt-get install postfix
nano /etc/postfix/main.cf

Follow Basic Configuration guide of the Postfix documentation.

Send mail from test@example1.org to test@example2.org, and vica versa. Save mail headers for future reference. The certificate part is similar to this:

Received: from example1.org
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)

Get certificates from cacert.org:

Go to http://cacert.org/ and click "Join", follow the instructions.
Now you can log in with "Password login" (for example).
Now you can add a new domain with "New" from "Domains".
Now you can add a server certificate for your domain with "New" from "Server cerificates".
This last one will ask you for a CSR. Don't worry, it's easy to make one, here is how:

cd ~
wget http://svn.cacert.org/CAcert/Software/CSRGenerator/csr
sh csr

It will ask you a few questions. Here is one example for configuring mail.example1.org:

Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org
Short Hostname (ie. imap big_srv www2): example1
FQDN/CommonName (ie. www.example1.tld) : example1.tld
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:mail.example1.org
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key
........................................................+++
................................................+++
writing new private key to '/root/example1_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like example1_server.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIDBjCCAe4CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQClsXcoj86dyYlIe96khbZqYtyV03ak+teyClv5
80I46irKcYQx4CFiirTCuusiAwsDfnDyZvnrwoxaUkc5nkw4Tlmb1j/y91U8rusX
Zu43rep8s0zs7aMx/q34TTCc5Mru8UQjbnj9aCX1DF+8cA0ayQMm1BOFv8nTFcjK
SnI5NdxRKDyqeH3KUgfxgGkBVU4VFVRU9XKD/zprzj+hWFT+fsjF7yQm0ZXDXaJ+
0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG
e+P7G/E2uE+lbzi41CSFgKAjw3E0l1x47NoVD6DADS5mYIatAgMBAAGggaowgacG
CSqGSIb3DQEJDjGBmTCBljCBkwYDVR0RBIGLMIGIggtleGFtcGxlLm9yZ4IPd3d3
LmV4YW1wbGUub3Jngg9mb28uZXhhbXBsZS5vcmeCE3d3dy5mb28uZXhhbXBsZS5v
cmeCD2Jhci5leGFtcGxlLm9yZ4ITd3d3LmJhci5leGFtcGxlLm9yZ4ILZXhhbXBs
ZS5iYXKCD3d3dy5leGFtcGxlLmJhcjANBgkqhkiG9w0BAQQFAAOCAQEAHFiUDgVc
lDGoq+2kLmQxKtYagc37sugw4OoutILxrXF0zJUSplF4Aco/KhBcSLQUpsW5u11Q
tcxj4DqXrxsoZuawATKTGQXDaAxL/ud2FsXyhe2FC1h0id2cH12GsnDSziuFCM+t
rz05dqnW6mZR5OHILlYPoIPNqk3tbkIyOs4GplL9PZLNjSKJ3oeXJXn1iSI6oegB
dBJQMByDZsh7Xd/d1OFJMQq3TFMqmLEXErkXQnOmzBN375AHGYGZwozhVPjhfFZ1
74AvmxOe17+OLm1j10EA9J/5jLzIgK0vs7HgK0131S/JAV4Ik9JccAWByGlxeuVb
4Kf5vAucZZVe7g==
-----END CERTIFICATE REQUEST-----
The Certificate request is also available in /root/example1_csr.pem
The Private Key is stored in /root/example1_privatekey.pem

Paste this part from the above results into the cacert website asking for the CSR:

You will get another ASCII soup that you can paste into a file on your server:

nano ~/example1_server.pem

Put the certificates in some suitable directories:

cp -v ~/example1_privatekey.pem /etc/ssl/private/
cp -v ~/example1_server.pem /etc/ssl/certs/

Of course there are other options as well, some are even better than this, but for me that worked fine.

Install CAcert root certificate:

apt-get install ca-certificates

Configure Postfix:

Trying to create a certificate authority verified SMTP connection between two servers of course means that you have to configure both servers. If you want them both to send and receive mail from each other then the configuration is symmetric, so only one is described here, but don't forget to configure both servers. The snippets below refer to the configuration of server example1 to exchange mails with server example2.:

nano /etc/postfix/main.cf

Add section for TLS configuration:

### Transport Layer Security ###

# Server side TLS
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/ssl/private/example1_privatekey.pem
smtpd_tls_cert_file = /etc/ssl/certs/example1_server.pem
smtpd_tls_CAfile = /usr/share/ca-certificates/cacert.org/root_X0F.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_ask_ccert = yes

# Client side TLS
smtp_tls_security_level = may
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_CAfile = $smtpd_tls_CAfile

# Misc TLS
tls_random_source = dev:/dev/urandom

Create a policy map. Policy maps only work in Postfix 2.2 and above, so check version:

postconf | grep version

Lower versions use another system, check the Postfix documentation or rather update your software base!

Create / edit a file with the policy and hash it for quicker processing:

echo "example2.tld verify" >> /etc/postfix/tls_policy
echo ".example2.tld verify" >> /etc/postfix/tls_policy
postmap /etc/postfix/tls_policy

Run postmap on the file each time you edit it. Add the policy map to the postfix configuration:

echo "smtp_tls_policy_maps = hash:/etc/postfix/tls_policy" >> /etc/postfix/main.cf

Now reload the postfix configuration:

/etc/init.d/postfix reload

Test configuration:

openssl s_client -connect mail.example1.hu:25 -starttls smtp | openssl x509 -noout -text
openssl s_client -connect mail.example2.hu:25 -starttls smtp | openssl x509 -noout -text

These commands are useful for debugging, for example to see what certificates the servers offer (if any).

Finally, try to send a mail from test@example1.org to test@example2.org. Headers should have similar:

Received: from example1.org
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "example1.org", Issuer "CA Cert Signing Authority" (verified OK))

Note: only the hops between the two servers should have these lines.

Debug Postfix configuration:

Send mail from test@example1.org to test@example2.org and vica versa:

The headers of the email if it arrives.
Error messages that you get in email.
Continually watch the postfix logs on the two servers (especially the sending one):

tail -f /var/log/mail.log

Not sure if it is a simple TLS problem or a certificate problem? Temporarily change "verify" to "encrypt" in your policy map, rehash, reload and try again:

rpl verify encrypt /etc/postfix/tls_policy
postmap /etc/postfix/tls_policy
/etc/init.d/postfix reload

Now the certificate verification is turned off and you can test your configuration without it.