postfix-tls(1)
NAME
postfix-tls - Postfix TLS management
SYNOPSIS
postfix tls subcommand
DESCRIPTION
The "postfix tls subcommand" feature enables opportunistic TLS in the
Postfix SMTP client or server, and manages Postfix SMTP server private
keys and certificates.
The following subcommands are available:
enable-client [-r randsource]
Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
client TLS settings are at their default values. Otherwise,
suggest parameter settings without making any changes.
Specify randsource to update the value of the tls_random_source
configuration parameter (typically, /dev/urandom). Prepend dev:
to device paths or egd: to EGD socket paths.
See also the all-default-client subcommand.
enable-server [-r randsource] [-a algorithm] [-b bits] [hostname...]
Create a new private key and self-signed server certificate and
enable opportunistic TLS in the Postfix SMTP server, if all SMTP
server TLS settings are at their default values. Otherwise,
suggest parameter settings without making any changes.
The randsource parameter is as with enable-client above, and the
remaining options are as with new-server-key below.
See also the all-default-server subcommand.
new-server-key [-a algorithm] [-b bits] [hostname...]
Create a new private key and self-signed server certificate, but
do not deploy them. Log and display commands to deploy the new
key and corresponding certificate. Also log and display
commands to output a corresponding CSR or TLSA records which may
be needed to obtain a CA certificate or to update DNS before the
new key can be deployed.
The algorithm defaults to rsa, and bits defaults to 2048. If
you choose the ecdsa algorithm then bits will be an EC curve
name (by default secp256r1, also known as prime256v1). Curves
other than secp256r1, secp384r1 or secp521r1 are unlikely to be
widely interoperable. When generating EC keys, use one of these
three. DSA keys are obsolete and are not supported.
Note: ECDSA support requires OpenSSL 1.0.0 or later and may not
be available on your system. Not all client systems will
support ECDSA, so you'll generally want to deploy both RSA and
ECDSA certificates to make use of ECDSA with compatible clients
and RSA with the rest. If you want to deploy certificate chains
with intermediate CAs for both RSA and ECDSA, you'll want at
least OpenSSL 1.0.2, as earlier versions may not handle multiple
chain files correctly.
The first hostname argument will be the CommonName of both the
subject and issuer of the self-signed certificate. It, and any
additional hostname arguments, will also be listed as DNS
alternative names in the certificate. If no hostname is
provided the value of the myhostname main.cf parameter will be
used.
For RSA, the generated private key and certificate files are
named key-yyyymmdd-hhmmss.pem and cert-yyyymmdd-hhmmss.pem,
where yyyymmdd is the calendar date and hhmmss is the time of
day in UTC. For ECDSA, the file names start with eckey- and
eccert- instead of key- and cert- respectively.
Before deploying the new key and certificate with DANE, update
the DNS with new DANE TLSA records, then wait for secondary
nameservers to update and then for stale records in remote DNS
caches to expire.
Before deploying a new CA certificate make sure to include all
the required intermediate issuing CA certificates in the
certificate chain file. The server certificate must be the
first certificate in the chain file. Overwrite and deploy the
file with the original self-signed certificate that was
generated together with the key.
new-server-cert [-a algorithm] [-b bits] [hostname...]
This is just like new-server-key except that, rather than
generating a new private key, any currently deployed private key
is copied to the new key file. Thus if you're publishing DANE
TLSA "3 1 1" or "3 1 2" records, there is no need to update DNS
records. The algorithm and bits arguments are used only if no
key of the same algorithm is already configured.
This command is rarely needed, because the self-signed
certificates generated have a 100-year nominal expiration time.
The underlying public key algorithms may well be obsoleted by
quantum computers long before then.
The most plausible reason for using this command is when the
system hostname changes, and you'd like the name in the
certificate to match the new hostname (not required for DANE "3
1 1", but some needlessly picky non-DANE opportunistic TLS
clients may log warnings or even refuse to communicate).
deploy-server-cert certfile keyfile
This subcommand deploys the certificates in certfile and private
key in keyfile (which are typically generated by the commands
above, which will also log and display the full command needed
to deploy the generated key and certificate). After the new
certificate and key are deployed any obsolete keys and
certificates may be removed by hand. The keyfile and certfile
filenames may be relative to the Postfix configuration
directory.
output-server-csr [-k keyfile] [hostname...]
Write to stdout a certificate signing request (CSR) for the
specified keyfile.
Instead of an absolute pathname or a pathname relative to
$config_directory, keyfile may specify one of the supported key
algorithm names (see "postconf -T public-key-algorithms"). In
that case, the corresponding setting from main.cf is used to
locate the keyfile. The default keyfile value is rsa.
Zero or more hostname values can be specified. The default
hostname is the value of myhostname main.cf parameter.
output-server-tlsa [-h hostname] [keyfile...]
Write to stdout a DANE TLSA RRset suitable for a port 25 SMTP
server on host hostname with keys from any of the specified
keyfile values. The default hostname is the value of the
myhostname main.cf parameter.
Instead of absolute pathnames or pathnames relative to
$config_directory, the keyfile list may specify names of
supported public key algorithms (see "postconf -T
public-key-algorithms"). In that case, the actual keyfile list
uses the values of the corresponding Postfix server TLS key file
parameters. If a parameter value is empty or equal to none,
then no TLSA record is output for that algorithm.
The default keyfile list consists of the two supported
algorithms rsa and ecdsa.
AUXILIARY COMMANDS
all-default-client
Exit with status 0 (success) if all SMTP client TLS settings are
at their default values. Otherwise, exit with a non-zero status.
This is typically used as follows:
postfix tls all-default-client &&
postfix tls enable-client
all-default-server
Exit with status 0 (success) if all SMTP server TLS settings are
at their default values. Otherwise, exit with a non-zero status.
This is typically used as follows:
postfix tls all-default-server &&
postfix tls enable-server
CONFIGURATION PARAMETERS
The "postfix tls subcommand" feature reads or updates the following
configuration parameters.
command_directory (see 'postconf -d' output)
The location of all postfix administrative commands.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf
configuration files.
openssl_path (openssl)
The location of the OpenSSL command line program openssl(1).
smtp_tls_loglevel (0)
Enable additional Postfix SMTP client logging of TLS activity.
smtp_tls_security_level (empty)
The default SMTP TLS security level for the Postfix SMTP client;
when a non-empty value is specified, this overrides the obsolete
parameters smtp_use_tls, smtp_enforce_tls, and
smtp_tls_enforce_peername.
smtp_tls_session_cache_database (empty)
Name of the file containing the optional Postfix SMTP client TLS
session cache.
smtpd_tls_cert_file (empty)
File with the Postfix SMTP server RSA certificate in PEM format.
smtpd_tls_eccert_file (empty)
File with the Postfix SMTP server ECDSA certificate in PEM
format.
smtpd_tls_eckey_file ($smtpd_tls_eccert_file)
File with the Postfix SMTP server ECDSA private key in PEM
format.
smtpd_tls_key_file ($smtpd_tls_cert_file)
File with the Postfix SMTP server RSA private key in PEM format.
smtpd_tls_loglevel (0)
Enable additional Postfix SMTP server logging of TLS activity.
smtpd_tls_received_header (no)
Request that the Postfix SMTP server produces Received: message
headers that include information about the protocol and cipher
used, as well as the remote SMTP client CommonName and client
certificate issuer CommonName.
smtpd_tls_security_level (empty)
The SMTP TLS security level for the Postfix SMTP server; when a
non-empty value is specified, this overrides the obsolete
parameters smtpd_use_tls and smtpd_enforce_tls.
tls_random_source (see 'postconf -d' output)
The external entropy source for the in-memory tlsmgr(8) pseudo
random number generator (PRNG) pool.
SEE ALSO
master(8) Postfix master program postfix(1) Postfix administrative interface
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this information. TLS_README, Postfix TLS configuration and operation
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
The "postfix tls" command was introduced with Postfix version 3.1.
AUTHOR(S)
Viktor Dukhovni
POSTFIX-TLS(1)
Opportunity
Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.
Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.
Free Software
Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.
Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.
Free Books
The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.
Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.
Education
Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.
Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.
