Enable mail encryption in postfix outgoing mails for gmail.
~~~ Enable mail encryption in postfix outgoing mails for gmail~~~~~
####First make a temporary directory, assuming you are signed on as root user cd /root
mkdir temp
cd /temp
####Next, generate a private key for the server.
openssl genrsa -des3 -out mail.domain.tld.key 2048
####Now it's time to create the certificate request.
openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
####Now it's time to create the self-signed key. It will also ask for the randomly generated password.
openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
####Now we need to remove the password from the private certificate so that there is no need to enter in a password when you restart postfix. You will need to enter in the randomly generated password.
openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
####The command below will overwrite the old key with the new key (without password).
mv mail.domain.tld.key.nopass mail.domain.tld.key
####Now it's time to make yourself the "trusted certificate authority".
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
####Make directories for the certificates and give proper chmod permissions.
mkdir -p /etc/ssl/private/
mkdir -p /etc/ssl/certs/
chmod 600 mail.domain.tld.key
chmod 600 cakey.pem
cp mail.domain.tld.key /etc/ssl/private/
cp mail.domain.tld.crt /etc/ssl/certs/
cp cakey.pem /etc/ssl/private/
cp cacert.pem /etc/ssl/certs/
####edit your /etc/postfix/main.cf file to include the following if it is not there already:
nano -w /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key
smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt
tls_random_source = dev:/dev/urandom
####myhostname - DOMAIN NAME MUST MATCH YOUR CERTIFICATE'S "COMMON" NAME!
myhostname = yourDomainName.com
####save main.cf, then restart postfix
service postfix restart
####The below commands will copy your cacert.pem file to /usr/share/pki/ca-trust-source/anchors/
cd /etc/ssl/certs/
cp cacert.pem /usr/share/pki/ca-trust-source/anchors/
update-ca-trust
####Assign postfix permissions to the cacert.pem file. Cacert.pem = certificate authority (public, not private).
chown postfix:postfix cacert.pem
####Finally, modify postfix so that outgoing emails are TLS enabled so that emails are encrypted.
nano -w /etc/postfix/main.cf
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/ssl/certs/cacert.pem
systemctl restart postfix
~~~~~~~Setup DKIM ~~~~~~
install epel repo
yum install epel-release
yum install opendkim -y
MYDOMAIN=example.com
mkdir -p /etc/opendkim/keys/$MYDOMAIN
cd /etc/opendkim/keys/$MYDOMAIN
opendkim-genkey -r -d $MYDOMAIN
chown -R opendkim:opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys
vim /etc/opendkim.conf
Mode sv
Socket inet:8891@localhost
Domain example.com
#KeyFile /etc/opendkim/keys/default.private ### comment this line
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
edit the domain keys lists setting file /etc/opendkim/KeyTable and add following entry.
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private
edit /etc/opendkim/SigningTable file and update following entry.
*@example.com default._domainkey.example.com
And edit /etc/opendkim/TrustedHosts file and update following entry.
mail.example.com
example.com
Now edit POSTFIX configuration file /etc/postfix/main.cf and add following values at the end of file
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
finally start DKIM service using following command
service opendkim start
Now there is a file generated with dns records ..
/etc/opendkim/keys/example.com/default.txt
open above and add dns dkiam txt records in your dns
####First make a temporary directory, assuming you are signed on as root user cd /root
mkdir temp
cd /temp
####Next, generate a private key for the server.
openssl genrsa -des3 -out mail.domain.tld.key 2048
####Now it's time to create the certificate request.
openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
####Now it's time to create the self-signed key. It will also ask for the randomly generated password.
openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
####Now we need to remove the password from the private certificate so that there is no need to enter in a password when you restart postfix. You will need to enter in the randomly generated password.
openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
####The command below will overwrite the old key with the new key (without password).
mv mail.domain.tld.key.nopass mail.domain.tld.key
####Now it's time to make yourself the "trusted certificate authority".
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
####Make directories for the certificates and give proper chmod permissions.
mkdir -p /etc/ssl/private/
mkdir -p /etc/ssl/certs/
chmod 600 mail.domain.tld.key
chmod 600 cakey.pem
cp mail.domain.tld.key /etc/ssl/private/
cp mail.domain.tld.crt /etc/ssl/certs/
cp cakey.pem /etc/ssl/private/
cp cacert.pem /etc/ssl/certs/
####edit your /etc/postfix/main.cf file to include the following if it is not there already:
nano -w /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key
smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt
tls_random_source = dev:/dev/urandom
####myhostname - DOMAIN NAME MUST MATCH YOUR CERTIFICATE'S "COMMON" NAME!
myhostname = yourDomainName.com
####save main.cf, then restart postfix
service postfix restart
####The below commands will copy your cacert.pem file to /usr/share/pki/ca-trust-source/anchors/
cd /etc/ssl/certs/
cp cacert.pem /usr/share/pki/ca-trust-source/anchors/
update-ca-trust
####Assign postfix permissions to the cacert.pem file. Cacert.pem = certificate authority (public, not private).
chown postfix:postfix cacert.pem
####Finally, modify postfix so that outgoing emails are TLS enabled so that emails are encrypted.
nano -w /etc/postfix/main.cf
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/ssl/certs/cacert.pem
systemctl restart postfix
~~~~~~~Setup DKIM ~~~~~~
install epel repo
yum install epel-release
yum install opendkim -y
MYDOMAIN=example.com
mkdir -p /etc/opendkim/keys/$MYDOMAIN
cd /etc/opendkim/keys/$MYDOMAIN
opendkim-genkey -r -d $MYDOMAIN
chown -R opendkim:opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys
vim /etc/opendkim.conf
Mode sv
Socket inet:8891@localhost
Domain example.com
#KeyFile /etc/opendkim/keys/default.private ### comment this line
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
edit the domain keys lists setting file /etc/opendkim/KeyTable and add following entry.
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private
edit /etc/opendkim/SigningTable file and update following entry.
*@example.com default._domainkey.example.com
And edit /etc/opendkim/TrustedHosts file and update following entry.
mail.example.com
example.com
Now edit POSTFIX configuration file /etc/postfix/main.cf and add following values at the end of file
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
finally start DKIM service using following command
service opendkim start
Now there is a file generated with dns records ..
/etc/opendkim/keys/example.com/default.txt
open above and add dns dkiam txt records in your dns
Comments
Post a Comment