Being one of the most popular MTA's out there, Postfix is fairly easy to configure and maintain, yet it allows great flexibility. This guide will concentrate on some basic functionality which will demonstrate its use of X.509 client certificates for the authentication.
For the purpose of this chapter it is assumed that a server machine has been supplied with pre-installed Debian Squeeze GNU/Linux distribution. During the (network) installation it is assumed that the standard task has been selected. It is also recommended to install the SSH server task for ease of administration.
The Postfix package can be installed with:
? root $ apt-get install postfix
During the installation make sure you've selected the Internet site configuration. If you've set-up the hostname and domain on the machine properly, the default answers for this configuration should suffice.
Since by default Debian Squeeze comes with the Exim MTA installed, you might want to remove it completely with:
? root $ apt-get --purge remove 'exim4*'
For the server side it's necessary to issue the following certificate:
End Entity Profile: Server E-mail address: firstname.lastname@example.org CN, Common name: Example SMTP Server O, Organization: Example Inc. C, Country (ISO 3166): RS DNS Name: mail.example.com Certificate Profile: Example Server CA: Example Server CA Token: PEM file
Create the directory which will hold the certificates and keys on the destination server:
? root $ mkdir /etc/postfix/tls/
The private key should be placed into the following location:
Prepare the accompanying certificate file so that you have the server's certificate followed by the Example Server CA and Example Root CA certificates one after the another in the same file. Place the resulting file into location:
Now set-up the file permissions:
? root ----BEGIN----$ chown -R root.root /etc/postfix/tls/ chmod 755 /etc/postfix/tls/ chmod 644 /etc/postfix/tls/mail.example.com.crt chmod 640 /etc/postfix/tls/mail.example.com.key -----END-----$
Obtain the Example Root CA and Example Person CA certificates in PEM format, and place them both into a single file:
Set-up the file permissions:
? root $ chown root.root /etc/postfix/tls/trust_chain.crt $ chmod 644 /etc/postfix/tls/trust_chain.crt
Set-up the server key/certificate configuration:
? root $ postconf -e smtpd_tls_cert_file=/etc/postfix/tls/mail.example.com.crt $ postconf -e smtpd_tls_key_file=/etc/postfix/tls/mail.example.com.key
Now enable requiring the client certificate, specify the trust anchor, and tell Postfix to allow relay for the client if it presents a valid certificate:
? root $ postconf -e smtpd_tls_ask_ccert=yes $ postconf -e smtpd_tls_CAfile=/etc/postfix/tls/trust_chain.crt $ postconf -e smtpd_recipient_restrictions=permit_mynetworks,permit_tls_all_clientcerts,reject_unauth_destination