Configure STARTTLS for Postfix on Oracle Linux

1
0
Send lab feedback

Learn to Install and Configure Postfix With STARTTLS on Oracle Linux

Introduction

This tutorial shows you how to install and set up the Postfix email server software on an Oracle Linux system to enable you to send messages within your network with STARTTLS encryption and verification. This tutorial is targeted at users of Oracle Linux 8 or later.

Postfix is a Mail Transfer Agent (MTA) server that was developed as a replacement for sendmail, which is the default MTA server on many older Linux systems. Because of its modular pipeline-based architecture, Postfix is versatile and integrates easily with many other services, such as spam and anti-virus processing, as well as with message store software, such as the Dovecot IMAP and POP server.

As a bare minimum to secure the service, you should configure Postfix to support STARTTLS to perform TLS/SSL verification and encryption over an SMTP connection. Using STARTTLS helps to protect the integrity of your communications.

This tutorial describes how to set up and configure Postfix to function primarily as a Simple Mail Transfer Protocol (SMTP) server.

Objectives

Upon completion of this Lab you will be able to:

  • Set the server host name
  • Install Postfix with appropriate firewall rules
  • Generate a self-signed TLS certificate
  • Configure Postfix to send emails and verify integrity with STARTTLS
  • Send test emails by using mailx
  • Review the Postfix mail queue

Prerequisites

  • Any system with Oracle Linux 8

Install Postfix

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

  1. Install the postfix package on your instance by using the package manager, as follows:

    sudo dnf install -y postfix

  2. Allow SMTP traffic through the server firewall:

    sudo firewall-cmd --zone=public --add-service=smtp --permanent
    sudo firewall-cmd --reload

  3. Remove the sendmail package, if it is present:

    sudo dnf remove -y sendmail

  4. Set Postfix as the default Mail Transfer Agent:

    sudo alternatives --set mta /usr/sbin/sendmail.postfix

  5. Enable and start the Postfix service:

    sudo systemctl enable --now postfix

Generate a TLS Certificate

For the purpose of this lab, generate and use a self-signed TLS certificate. In a production environment, Oracle strongly recommends using a TLS/SSL certificate that has been signed by an external Certficate Authority (CA). See https://docs.oracle.com/en/operating-systems/oracle-linux/certmanage/ for more information.

  1. Install the openssl package on your instance by using the package manager, as follows:

    sudo dnf install -y openssl

  2. Create an RSA private key and a self-signed X.509 test certificate:

    hostname=$(hostname -f)
    sudo openssl req -new -x509 -days 1 -nodes -newkey rsa:2048 -keyout private.key \
-out public.cert -subj "/C=US/ST=Ca/L=Sunnydale/CN=$hostname"

  3. Copy your RSA private key to the /etc/pki/tls/private directory:

    sudo cp private.key /etc/pki/tls/private/

  4. Copy your self-signed X.509 test certificate to the /etc/pki/tls/certs directory:

    sudo cp public.cert /etc/pki/tls/certs/

Configure Postfix With STARTTLS

  1. Create a backup for the default Postfix configuration:

    sudo mv /etc/postfix/main.cf /etc/postfix/main.cf.bak

  2. Edit the configuration file, /etc/postfix/main.cf, to contain lines similar to the following:

    sudo tee -a /etc/postfix/main.cf > /dev/null <<EOF
myhostname = $(hostname -f)
myorigin = \$myhostname
inet_interfaces = all
inet_protocols = all
mydestination = \$myhostname, localhost
mynetworks = 192.168.1.0/24, 127.0.0.0/8, 10.0.0.0/24
home_mailbox = mail/
# Additional STARTTLS configuration settings
tls_random_source=dev:/dev/urandom
# SMTPD TLS configuration for incoming connections
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/public.cert
smtpd_tls_key_file = /etc/pki/tls/private/private.key
smtpd_tls_security_level = may
# SMTP TLS configuration for outgoing connections
smtp_use_tls = yes
smtp_tls_cert_file = /etc/pki/tls/certs/public.cert
smtp_tls_key_file = /etc/pki/tls/private/private.key
smtp_tls_security_level = may
EOF

    Note: Sending emails from a single host is sufficient for the purpose of this lab. In a production environment, you should set mydomain as the registered domain name from which you intend to send email. For more information, read the Postfix manual pages.

  3. Restart the Postfix service:

    sudo systemctl restart postfix

Send Test Emails

  1. Install the mailx email client:

    sudo dnf install -y mailx

  2. Send a test email to your own external email address. Update the hostname in the mailx command to match the instance from which you are sending email:

    hostname=$(hostname -f)
    echo "External email" | mailx -r root@$hostname -s "Test email subject" admin@example.com

    Note: Using mailx to send test emails from a single host is sufficient for the purpose of this lab. In a production environment, you should use the registered domain that you configured in /etc/postfix/main.cf within the sender email address instead, for example root@example.com.

  3. Check your own email account for a new message. You may need to check your spam folder.

  4. If the email does not appear, you can check the Postfix mail queue:

    sudo mailq

  5. You can also check the Postfix log. Press Ctrl + C to exit:

    sudo tail -f /var/log/maillog
SSR