Install and Configure Postfix as Send-Only with enforced TLS Encryption on Ubuntu 18.04 LTS


Posted on Feb. 5, 2019, by Sebastian Stemmer


briefe-buchstaben-email-1591062.jpg

In this article you will learn how to configure Postfix as send-only such that TLS encryption is enforced. This setting is especially interesting for implementing GDPR compliant contact forms. The following instructions have been implemented and tested on Ubuntu 18.04 LTS with Postfix 3.3.0.

What is Postfix?

Postfix is an open-source and free mail transfer agent (MTA). According to wikipedia, approximately 34% of the publicly reachable mail-servers on the Internet ran Postfix in December 2017. Postfix can be used to send and receive emails via the simple mail transfer protocol (SMTP). In this tutorial, we are solely focusing on the configuration for send-only. A use case for this configuration is the implementation of a contact form on a webpage.

Installation and Configuration File

The installation is very simple. As usual on Ubuntu, the package list is updated first

sudo apt-get update

Afterwards, Postfix is installed by the command

sudo apt-get install postfix

Select the default value "Internet site" and the suggested default value for "System mail name".

Postfix's configuration is found within the file /etc/postfix/main.cf. The configuration file has a key-value structure. There are two ways how to add new lines of configuration: Open the file with an editor of your choice like vim or nano and add a configuration line manually or use the command postconf like

sudo postconf key=value

The keys in the main.cf file are structured in the following way: While the prefix smtp (like smtp_tls_CAfile) relates to sending emails, keys with the prefix smtpd (like smtpd_use_tls) define configurations for receiving emails. Therefore, we will only focus on configuration parameters with the prefix smtp in this tutorial. After adding a key-value pair to the configuration file we have to tell Postfix to reload the main.cf by

sudo service postfix reload

or even restart Postfix with

sudo service postfix restart

Basic Configuration for Send-Only

First, we change the network interface addresses that Postfix is listening to. In the send-only configuration, Postfix should only receive mail from loopback network interfaces, i.e. from the IP addresses 127.0.0.1 (IPv4) and [::1] (IPv6).

Therefore,

sudo postconf inet_interfaces=loopback-only

and then

sudo service postfix restart

We can check if this configuration was successful by the command

ss -pant | grep ":25"

which should give us the localhost IP addresses:

LISTEN  0        100                127.0.0.1:25                0.0.0.0:*       
LISTEN  0        100                    [::1]:25                   [::]:*   

For testing the basic configuration we install the following tool for sending emails via the console

sudo apt-get install bsd-mailx

With this tool and the command mail we can now send a test email to an email address of our choice, here example@somedomain.com:

echo "Body of test mail." | mail -s "Subject of test mail" example@somedomain.com

You should be able to receive this email at your email account (take a look at the spam folder!).

Enforce TLS Encryption

In this guide we want Postfix to send emails only when it is ensured that they are transported encrypted. This transport layer security (TLS) is necessary, because we do not want that criminals, the state or in general other people are able to eavesdrop our email communication. In addition, enforced encryption of emails that are send by a contact form on a webpage helps to comply with the GDPR. Potential private data sent via such a contact form must be protected as good as possible.

TLS encryption is enforced by the configuration parameter

sudo postconf smtp_tls_security_level=encrypt

Furthermore, we want to enable only high grade OpenSSL ciphers for maximum security

sudo postconf smtp_tls_mandatory_ciphers=high

We deactivate TLS compression to not be vulnerable to security exploits like CRIME

sudo postconf tls_ssl_options=NO_COMPRESSION

Logging of TLS specific information is activated by

sudo postconf smtp_tls_loglevel=1

Finally, we reload the configuration file with the reload command, as before

sudo service postfix reload

As previously described, let's send another test email. It is important that we use a mailbox provider that supports current TLS encryption protocols with high grade ciphers. Otherwise, the email cannot be sent. Google's Gmail is such a provider. Taking a look at the mail log file located at /var/log/mail.log with an editor of our choice, we should see something like

Untrusted TLS connection established...

and

TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)

Finally, we try to establish a trusted TLS connection. Executing the command

sudo update-ca-certificates

creates a concatenated single-file list of certificates /etc/ssl/certs/ca-certificates.crt.

We add this file to main.cf

sudo postconf smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt

Afterwards, we have to reload the configuration file.

sudo service postfix reload

Then, we send a test email and look into the mail log file. Now you should see something like

Trusted TLS connection established...

and

TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)

Avoiding the Spam Folder

Most of the time, the receiving mailbox provider will put your emails directly inside the spam folder. There are several configurations to prevent your emails from ending up there. It is assumed that you have already registered a domain name, for example example-webpage.com with an A-record and AAAA-record configured such that they point to the IPv4 and IPv6 of the machine on which Postfix is running.

1) Configure a domain name in Postfix for outgoing emails

There is an entry myorigin in the main.cf file by default

myorigin = /etc/mailname

So, open this file and the name of your registered domain, in our example example-webpage.com, there.

2) Add reverse DNS lookup (rDNS) to your machine

You should add a rDNS entry to the machine on which Postfix is running for both IPv4 and IPv6. This step depends on your server.

3) Add SPF record to your registered domain name

Look for specific tutorials for your domain name provider.

Conclusion

Congratulations, you configured Postfix to send emails with enforced TLS encryption! Feel free to check out the final main.cf file on GitHub.

References


Any questions, problems or suggestions for improvement?

Write me an email or use the contact form!

Return to blog

Search
Categories