By default, Postfix comes with basic TLS configuration using self-signed "snakeoil" certificates. These auto-generated files (/etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key) are placeholders for testing purposes. While smtpd_use_tls=yes enables TLS, production systems should use properly signed certificates.
Modern Postfix implementations use TLS (Transport Layer Security) rather than the obsolete SSL protocol. The configuration parameters still contain "SSL" in their names for historical reasons, but they actually configure TLS. For newsletter delivery, TLS 1.2 or higher is recommended for best deliverability.
You can absolutely use the same certificates for both Postfix and Nginx. This approach simplifies certificate management. Here's how to configure Postfix to use your existing web certificates:
# Main configuration in main.cf
smtpd_tls_cert_file = /etc/letsencrypt/live/yourdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/yourdomain.com/privkey.pem
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Postfix typically runs under the postfix user, so you need to ensure proper permissions:
chmod 755 /etc/letsencrypt/{live,archive}
chmod 640 /etc/letsencrypt/live/yourdomain.com/privkey.pem
chgrp postfix /etc/letsencrypt/live/yourdomain.com/privkey.pem
For optimal security and deliverability, consider these additional parameters:
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK
After making changes, test with:
postfix reload
openssl s_client -connect localhost:25 -starttls smtp -servername yourdomain.com
The output should show your certificate details and established TLS connection.
When setting up a Postfix mail server for newsletter delivery, enabling transport layer security is crucial for both security and deliverability. Modern mail providers (Gmail, Outlook, etc.) prioritize encrypted connections, and some may even penalize or reject unencrypted SMTP traffic.
Your existing configuration shows the basic TLS setup using self-signed certificates:
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yesThese "snakeoil" certificates are auto-generated Debian/Ubuntu placeholder files. While they enable TLS, they're not ideal for production because:
- They're self-signed (not trusted by default)
- Don't match your domain
- May trigger security warnings
Yes, you can absolutely reuse your web server's certificate (from Let's Encrypt, Comodo, etc.) for Postfix. This is a common practice that simplifies certificate management.
Assuming your certificate files are in /etc/letsencrypt/live/yourdomain.com/, modify your Postfix config:
smtpd_tls_cert_file=/etc/letsencrypt/live/yourdomain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/yourdomain.com/privkey.pem
smtpd_tls_security_level=may
smtp_tls_security_level=may# Force TLS for outbound mail
smtp_tls_security_level = encrypt
# Opportunistic TLS for inbound
smtpd_tls_security_level = may
# Protocol and cipher restrictions
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5, RC4When using Let's Encrypt certificates, set up a post-renewal hook to reload Postfix:
#!/bin/bash
systemctl reload postfixSave this as /etc/letsencrypt/renewal-hooks/post/postfix-reload.sh and make it executable.
Test your setup with:
openssl s_client -connect yourserver.com:25 -starttls smtpLook for the certificate details and verify the protocol version is TLS 1.2 or higher.