Turritopsis Dohrnii Teo En Ming:
> Subject: I have successfully configured SSL/TLS for Postfix SMTP
> outgoing mail server for a customer in Singapore on 25 Aug 2021 Wed
Two minor corrections, because port 465 uses TLS wrapper mode instead
of STARTTLS.
> Good day from Singapore,
>
> I have successfully configured SSL/TLS for Postfix SMTP outgoing mail
> server for a customer in Singapore on 25 Aug 2021 Wed. It took me 7-8
> hours to
> solve this problem. I think my boss can probably solve this problem in
> 10 minutes.
>
> I have prepared this extremely short and concise guide to remind
> myself and everyone how to configure SSL/TLS for Postfix SMTP outgoing
> Linux mail server.
>
> Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)
> Country: Singapore
> Date: 25 August 2021 Wed Singapore Time
>
> Type of Publication: Plain Text
>
> Document version: 20210825.01
>
> ===BEGINNING OF GUIDE===
>
> Add the following lines to /etc/postfix/main.cf:
>
> smtpd_tls_cert_file = /etc/postfix/teo-en-ming-corp.crt
> smtpd_tls_key_file = /etc/postfix/teo-en-ming-corp.key
> smtp_tls_security_level = may
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
>
> Add the following lines to /etc/postfix/master.cf:
>
> submission inet n - n - - smtpd
> smtps inet n - n - - smtpd
The second line needs an option "-o smtpd_tls_wrappermode=yes", like this:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
because unlike the "smtp" and "submission" services, the "smtps"
service does not use STARTTLS, instead it uses TLS wrapper mode.
> Restart Postfix for changes to take effect.
>
> # service postfix restart
>
> Submission port is 587. SMTPS port is 465. Normal SMTP port is 25.
>
> Add the following firewall rules to /etc/sysconfig/iptables. This is
> to open ports for services/daemons listening on TCP ports 25, 465, and
> 587.
>
> -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
> -A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
>
> -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
> -A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
>
> -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
> -A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
>
> Reload firewall rules.
>
> # service iptables restart
>
> Linux troubleshooting commands:
>
> # openssl s_client -connect mail.teo-en-ming-corp.com:25 -servername
> mail.teo-en-ming-corp.com -starttls smtp
> # openssl s_client -connect mail.teo-en-ming-corp.com:465 -servername
> mail.teo-en-ming-corp.com -starttls smtp
No starttls for the port 465 service.
Wietse
> # openssl s_client -connect mail.teo-en-ming-corp.com:587 -servername
> mail.teo-en-ming-corp.com -starttls smtp
>
> # openssl s_client -connect example.com:[port] -servername example.com
>
> # telnet mail.teo-en-ming-corp.com 25
> # telnet mail.teo-en-ming-corp.com 465
> # telnet mail.teo-en-ming-corp.com 587
>
> ===END OF GUIDE===
>
> You will be able to see STARTTLS in the SMTP banner for Postfix for
> TCP ports 25, 465 and 587 if you do a Telnet to your mail server.
>
> If there are corrections and/or additions to this guide, I will post back
> here.
>
> Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 25 August
> 2021, is a TARGETED INDIVIDUAL living in Singapore. He is an IT
> Consultant
> with a System Integrator (SI)/computer firm in Singapore. He is an IT
> enthusiast.
>
> -----BEGIN EMAIL SIGNATURE-----
>
> The Gospel for all Targeted Individuals (TIs):
>
> [The New York Times] Microwave Weapons Are Prime Suspect in Ills of
> U.S. Embassy Workers
>
> Link:
> https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html
>
> ********************************************************************************************
>
> Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's
> Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts
> at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan
> (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):
>
> [1] https://tdtemcerts.wordpress.com/
>
> [2] https://tdtemcerts.blogspot.sg/
>
> [3] https://www.scribd.com/user/270125049/Teo-En-Ming
>
> -----END EMAIL SIGNATURE-----
>
