Note:

Learn to Install and Configure Postfix With STARTTLS on Oracle Linux 8

Introduction

This tutorial shows you how to install and set up the Postfix email server software on an Oracle Linux 8 system to enable you to send messages within your network with STARTTLS encryption and verification.

Postfix is a Mail Transfer Agent (MTA) server that was developed as a replacement for sendmail, which is the default MTA server on many older Linux systems. Because of its modular pipeline-based architecture, Postfix is versatile and integrates easily with many other services, such as spam and anti-virus processing, as well as with message store software, such as the Dovecot IMAP and POP server.

As a bare minimum to secure the service, you should configure Postfix to support STARTTLS to perform TLS/SSL verification and encryption over an SMTP connection. Using STARTTLS helps to protect the integrity of your communications.

This tutorial describes how to set up and configure Postfix to function primarily as a Simple Mail Transfer Protocol (SMTP) server.

Objectives

Upon completion of this Lab you will be able to:

Prerequisites

The next section describes hands-on exercises you can perform in a lab environment to install and run Postfix with STARTTLS. To access the lab, click Launch lab next to the tutorial title.

(Hands-on Lab) Connect to the Compute Instance

Note: This step is specific to the Oracle provided free lab environment.

The Desktop environment will display before the instance(s) are ready. Deployment of this environment can take two to five minutes, depending on the number of resources and provisioning steps needed.

First, to access the lab compute instance(s), connect to the Oracle Cloud Console and copy the compute instance Public IP address.

  1. Sign in to Oracle Cloud Console, and select your Compartment.

  2. Click Instances.

  3. Copy the Public IP to a temporary location (such as a text file) on your computer.

    copy public ip

    To copy, highlight the IP address with the mouse and press Ctrl+C.

  4. Right-click the Virtual Desktop and select Open Terminal Here.

  5. Connect to the instance.

    ssh oracle@<IP_ADDRESS_OF_COMPUTE_INSTANCE>
    

    Where <IP_ADDRESS_OF_COMPUTE_INSTANCE> is the IP address copied from the Oracle Cloud Console.

  6. Accept the ECDSA key fingerprint by typing yes at the prompt.

  7. You are now connected to the compute instance for this lab.

If the connection fails with the Permission denied (publickey,gssapi-keyex,gssapi-with-mic) message, wait a bit longer for the provisioning process to complete and try making the ssh connection again.

Install Postfix

  1. Install the postfix package on your instance by using the package manager, as follows:

    sudo dnf install -y postfix
    
  2. Allow SMTP traffic through the server firewall:

    sudo firewall-cmd --zone=public --add-service=smtp --permanent
    
    sudo firewall-cmd --reload
    
  3. Remove the sendmail package, if it is present:

    sudo dnf remove -y sendmail
    
  4. Set Postfix as the default Mail Transfer Agent:

    sudo alternatives --set mta /usr/sbin/sendmail.postfix
    
  5. Enable and start the Postfix service:

    sudo systemctl enable --now postfix
    

Generate a TLS Certificate

For the purpose of this lab, generate and use a self-signed TLS certificate. In a production environment, Oracle strongly recommends using a TLS/SSL certificate that has been signed by an external Certficate Authority (CA). See https://docs.oracle.com/en/operating-systems/oracle-linux/certmanage/ for more information.

  1. Install the openssl package on your instance by using the package manager, as follows:

    sudo dnf install -y openssl
    
  2. Create an RSA private key and a self-signed X.509 test certificate:

    hostname=$(hostname -f)
    
    sudo openssl req -new -x509 -days 1 -nodes -newkey rsa:2048 -keyout private.key \
    -out public.cert -subj "/C=US/ST=Ca/L=Sunnydale/CN=$hostname"
    
  3. Copy your RSA private key to the /etc/pki/tls/private directory:

    sudo cp private.key /etc/pki/tls/private/
    
  4. Copy your self-signed X.509 test certificate to the /etc/pki/tls/certs directory:

    sudo cp public.cert /etc/pki/tls/certs/
    

Configure Postfix With STARTTLS

  1. Create a backup for the default Postfix configuration:

    sudo mv /etc/postfix/main.cf /etc/postfix/main.cf.bak
    
  2. Edit the configuration file, /etc/postfix/main.cf, to contain lines similar to the following:

    sudo tee -a /etc/postfix/main.cf > /dev/null <<EOF
    myhostname = $(hostname -f)
    myorigin = \$myhostname
    inet_interfaces = all
    inet_protocols = all
    mydestination = \$myhostname, localhost
    mynetworks = 192.168.1.0/24, 127.0.0.0/8 10.0.0.0/24
    home_mailbox = mail/
    # Additional STARTTLS configuration settings
    tls_random_source=dev:/dev/urandom
    # SMTPD TLS configuration for incoming connections
    smtpd_use_tls = yes
    smtpd_tls_cert_file = /etc/pki/tls/certs/public.cert
    smtpd_tls_key_file = /etc/pki/tls/private/private.key
    smtpd_tls_security_level = may
    # SMTP TLS configuration for outgoing connections
    smtp_use_tls = yes
    smtp_tls_cert_file = /etc/pki/tls/certs/public.cert
    smtp_tls_key_file = /etc/pki/tls/private/private.key
    smtp_tls_security_level = may
    EOF
    

    Note: Sending emails from a single host is sufficient for the purpose of this lab. In a production environment, you should set mydomain as the registered domain name from which you intend to send email. For more information, read the Postfix manual pages.

  3. Restart the Postfix service:

    sudo systemctl restart postfix
    

Send Test Emails

  1. Install the mailx email client:

    sudo dnf install -y mailx
    
  2. Send a test email to your own external email address. Update the hostname in the mailx command to match the instance from which you are sending email:

    hostname=$(hostname -f)
    
    echo "External email" | mailx -r root@$hostname -s "Test email subject" admin@example.com
    

    Note: Using mailx to send test emails from a single host is sufficient for the purpose of this lab. In a production environment, you should use the registered domain that you configured in /etc/postfix/main.cf within the sender email address instead, for example root@example.com.

  3. Check your own email account for a new message. You may need to check your spam folder.

  4. If the email does not appear, you can check the Postfix mail queue:

    sudo mailq
    
  5. You can also check the Postfix log. Press Ctrl + C to exit:

    sudo tail -f /var/log/maillog
    

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.