Wednesday, March 14, 2007

Add encryption to SMTP and POP (TLS/SSL)

In previous posts we configured a fully functional SMTP and POP servers for a single domain with local system users and with roaming capabilities using SASL authentication.

In this post we further improve our setup to allow encrypted communications in SMTP and POP. This way we add a security layer to protect users from mishap from third persons and protect sensitive information.

Creating the SSL certificate for SMTP

The recommended way to do this is to create a certificate request and get it signed by a Certificate Authority but for demonstration purposes I will create a self signed certificate.

For postfix we must create a cert/key pair using the openssl command. In your home directory or a temporary directory you can create the SSL cert/key pair like this:

openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 \
-nodes -keyout smtpd.key -keyform PEM -days 1095 -x509

You will be asked a set of questions that you can fill any way you feel like. This is only to create an identity that must be unique among certificates. Note that the above is a one line command split in two due to space constraints.

Next we create some directories to store the SSL certificates. I like to store them inside the postfix configuration directory.

sudo mkdir /etc/postfix/ssl
sudo mkdir /etc/postfix/ssl/cert
sudo mkdir /etc/postfix/ssl/private

sudo chmod 755 /etc/postfix/ssl/cert
sudo chmod 710 /etc/postfix/ssl/private

Then we move the certificate pair to the newly created directories:

sudo mv smtpd.cert /etc/postfix/ssl/cert
sudo mv smtpd.key /etc/postfix/ssl/private

Enabling TLS in Postfix

Simply edit the /etc/postfix/ file and add the following:

# TLS parameters

smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_tls_auth_only = no


The "smtpd_tls_auth_only" option can be used for added security. It forces the communication the be encrypted before any credentials (user and passwords) are transmitted. Unfortunately some client's may fail to authenticate with this setting so it defaults to "no".

Finally restart postfix:

sudo /etc/init.d/postfix restart

Enable POP over SSL

If you followed my previous post then you already have installed the required courier-pop-ssl package. If not simply install it with this command:

sudo aptitude install courier-pop-ssl

Generating the SSL certificate for POP

By default Kubuntu uses an auto generated SSL certificate (pop3d.pem) that you can find inside the "/etc/courier" directory. The pop3d.pem file is actually a cert/key pair combined into a single file. For our POP server we will use the same cert/key pair we created for the SMTP server to generate our pop3d.pem file.

In your home or a temporary directory:

sudo cat /etc/postfix/ssl/cert/smtpd.cert > pop3d.pem
sudo openssl gendh >> pop3d.pem
sudo cat /etc/postfix/ssl/private/smtpd.key >> pop3d.pem
sudo chmod 600 pop3d.pem

Now backup the auto generated certificate and replace it with the new one:

sudo cp /etc/courier/pop3d.pem /etc/courier/pop3d.pem.orig
sudo rm /etc/courier/pop3d.pem
sudo cp pop3d.pem /etc/courier

You can put the generated pop3d.pem file anywhere you want as long as you change the path in the courier configuration file (i.e. /etc/courier/pop3d-ssl). For security reasons it may be better to keep it in the default place.

Finally restart the service but this time the SSL one.

sudo /etc/init.d/courier-pop-ssl restart

To force your users to use always SSL simply disable the normal POP server and leave only the one with SSL.

sudo /etc/init.d/courier-pop stop
sudo /etc/init.d/courier-pop-ssl restart

Also to stop courier-pop from starting at boot time we must remove the start up script from the rcX.d directories with the following command:

sudo update-rc.d -f courier-pop remove

This way when the server reboots only the SSL enable POP service will be started. If for some reason you require to start the normal POP service at boot time again you can do it with the command:

sudo update-rc.d courier-pop defaults


Do not forget to modify the "/etc/courier/pop3d-ssl" configuration file in Kubuntu Feisty to use ".maildir" instead of the "Maildir" for storage of mails. As with normal POP simply edit the file and replace the value of the MAILDIRPATH variable.

In the case of Ubuntu Server Edition all these services (POP, POP-SSL, IMAP, IMAP-SSL) use the configuration inside "/etc/default/courier" to determine the maildir's directory. Simply make sure you modify the file and replace the MAILDIR value with ".maildir"


In previous posts we were able to test our configurations by connecting via telnet to the corresponding ports. Now that we have enabled encryption we cannot test with simple text commands via telnet.

It is still possible to test the SMTP and POP services over encrypted connections in a console using the openssl utility but I will explain how to do this in a future post.


  1. Anonymous4:32 AM

    Great tutorial -- thank you!

    One question: how to you configure Postfix to do POP over TLS rather than SSL?

  2. Correct me if I am wrong but I believe that SSL and TLS are the same thing: