1

I'm setting up Postfix right now and it should run as a send-only solution - no emails will be received. But still, TLS should be supported for outgoing emails, so I enabled it using smtp_tls_security_level = may. Postfix has the smtpd_tls_cert_file and smtpd_tls_key_file and as far as I know, they concern incoming emails only. So I was just wondering: Is necessary that I setup my own separate SSL/TLS certificate for outgoing TLS connections?

As far as I understand Postfix will try to connect to the receiving server and will be provided a public key. Then my machine's OpenSSL will encrypt the email using the receiver's public key, so no SSL/TLS certificate needed from side, am I right?

Just want to make sure, because I don't want my emails to be treated as SPAM just because I don't have a valid SSL/TLS certificate.

manifestor
  • 6,079
  • 7
  • 27
  • 39

1 Answers1

2

You may need to have a certificate for different purpose. Your internal clients when connecting over TLS will can check this certificate when submitting email to postfix (if the client is configured to require certificate).

According to Postfix documentation:

Do not configure Postfix SMTP client certificates unless you must present client TLS certificates to one or more servers. Client certificates are not usually needed, and can cause problems in configurations that work well without them.

This means you can leave these cert lines empty (default). In case your client really requires to check certificate validity you better use

smtp_tls_chain_files =

to provide such certificates. This is a recommended option for Postfix version ≥ 3.4.

When postfix sends an email to an external SMTP server the negotiation between these servers doesn't depend on the mentioned certificate because postfix will check the public cert of external server only.

Hardoman
  • 255
  • 1
  • 7