Being one of the most popular MTA's out there, Postfix is fairly easy to configure and maintain, yet it allows great flexibility. This guide will concentrate on some basic functionality which will demonstrate its use of X.509 client certificates for the authentication.

Software Requirements

For the purpose of this chapter it is assumed that a server machine has been supplied with pre-installed Debian Squeeze GNU/Linux distribution. During the (network) installation it is assumed that the standard task has been selected. It is also recommended to install the SSH server task for ease of administration.

The Postfix package can be installed with:

? root
$ apt-get install postfix

During the installation make sure you've selected the Internet site configuration. If you've set-up the hostname and domain on the machine properly, the default answers for this configuration should suffice.

Since by default Debian Squeeze comes with the Exim MTA installed, you might want to remove it completely with:

? root
$ apt-get --purge remove 'exim4*'

Issuing the Certificate

For the server side it's necessary to issue the following certificate:

End Entity Profile: Server
E-mail address:
CN, Common name: Example SMTP Server
O, Organization: Example Inc.
C, Country (ISO 3166): RS
DNS Name:
Certificate Profile: Example Server
CA: Example Server CA
Token: PEM file

Create the directory which will hold the certificates and keys on the destination server:

? root
$ mkdir /etc/postfix/tls/

The private key should be placed into the following location:

# /etc/postfix/tls/

Prepare the accompanying certificate file so that you have the server's certificate followed by the Example Server CA and Example Root CA certificates one after the another in the same file. Place the resulting file into location:

# /etc/postfix/tls/

Now set-up the file permissions:

? root
chown -R root.root /etc/postfix/tls/
chmod 755 /etc/postfix/tls/
chmod 644 /etc/postfix/tls/
chmod 640 /etc/postfix/tls/

Configuring the Server

Obtain the Example Root CA and Example Person CA certificates in PEM format, and place them both into a single file:

# /etc/postfix/tls/trust_chain.crt

Set-up the file permissions:

? root
$ chown root.root /etc/postfix/tls/trust_chain.crt
$ chmod 644 /etc/postfix/tls/trust_chain.crt

Set-up the server key/certificate configuration:

? root
$ postconf -e smtpd_tls_cert_file=/etc/postfix/tls/
$ postconf -e smtpd_tls_key_file=/etc/postfix/tls/

Now enable requiring the client certificate, specify the trust anchor, and tell Postfix to allow relay for the client if it presents a valid certificate:

? root
$ postconf -e smtpd_tls_ask_ccert=yes
$ postconf -e smtpd_tls_CAfile=/etc/postfix/tls/trust_chain.crt
$ postconf -e smtpd_recipient_restrictions=permit_mynetworks,permit_tls_all_clientcerts,reject_unauth_destination

Testing the Connection