I spent a lot of time yesterday trying to figure out how to setup my Postfix installation to allow secure connections. Postfix is an SMTP mail program that allows one to send email. I wanted it to be secure so that I could open my firewall and allow my devices to send email through my self-hosted mail server securely and in a manner that didn’t result in me being an open relay.
I started by looking at Ubuntu documentation as I typically find it helpful. In this case it felt like it was a couple of years old and the configuration files seemed to have changed since it was updated. So I ventured into Google and found all sorts of HOWTOs and tutorials that kinda of were doing the same thing. Kind of.
I also decided that I should just bite the bullet and create new SSL keys as my current mail one had expired. That took some reading again until I found this article which was very helpful, giving specific commands to get a 10 year certificate.
Anyhow I spent many hours reading different articles, manuals, software documentation – quite tiring and frustrating. In the end I found the Postfix and Dovecot documentation to be most helpful (including one article with some sample commands to look at the details of the SSL certificate). In the end it took just a couple of steps:
- Ensure Dovecot was creating a socket that could be used by Postfix to authenticate (that’s the /var/spool/postfix/private/auth thingy and required config changes to Dovecot in 10-master.cnf beyond what was there already – adding user/group info as per Postfix documentation)
- Ensure Postfix was configured to authenticate via Dovecot (postconf -a checks what is configured and active)
- Ensure there are SSL keys for both Dovecot and Postfix.
- Ensure Postfix is configured to use those keys and enable SASL authentication. The trick was finding the “auth” section in conf.d/10-master.cnf
I think that was about it. In the end 5-6 hours of time were spent issuing 10 commands or so that took 1 minute to actually do. Nice!