SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates VMC certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


Install a certificate for postfix

1. Download the files

First of all, you need to get the files necessary to install your certificate. You need 2 files :

  • Your private key: this file was generated along with your CSR when you ordered your certificate. If a password has been set on this key you have to decrypt it. You can do it directly with our online tool : private key decryption by your browser

  • Your certificate and the certification chain: from the status page of your certificate, button "View certificate", click on the link "View certificate with chain". This will allow you to download your certificate and the chain in PEM format

2. Installation of the certificate

To install your certificate under postfix, you must edit the file main.cf to add or modify parameters.

The installation method differs depending on the version of Postfix that is installed.

For Postfix 3.4 and +

The Postfix documentation advises to install a single file that will contain :

  • the private key
  • the server certificate
  • the certification chain

Open the file with the .pem extension retrieved in the first part and insert the content of your private key at the very beginning of this file.

The content should look like this:

    --------------BEGIN PRIVATE KEY----------------
...
... //your private key
...
    --------------END PRIVATE KEY----------------

    --------------BEGIN CERTIFICATE----------------
...
... //your server certificate
...
    --------------END CERTIFICATE----------------

    --------------BEGIN CERTIFICATE----------------
...
... // the intermediate certificate
...
    --------------END CERTIFICATE----------------

It is important that the file contains these 3 elements in this exact order, otherwise it will not work.

Then edit the main.cf file

  1. For the email reception part (SMTP server) 
    # directive for the certificat
smtpd_tls_chain_files = /chemin/vers/votre/fichier.pem

#directive for TLS
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# activate the TLS
smtpd_tls_security_level = may	

# recommanded for logs
smtpd_tls_loglevel = 1

# recommanded for having TLS trace in headers
smtpd_tls_received_header = yes

# directive for ciphers
smtpd_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
smtpd_tls_mandatory_ciphers = high
  2. For the email sending part (SMTP client): 
    #activate TLS if necessary
smtp_tls_security_level = may

#directive for TLS
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# recommandé for logs
smtp_tls_loglevel = 1

# directive for ciphers
smtp_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
smtp_tls_mandatory_ciphers = medium

For Postfix 3.3 and -

  1. For the reception of emails (SMTP server): 
    # directive for certificate and chain certification
smtpd_tls_cert_file = /chemin/vers/votre/fichier.pem 
smtpd_tls_key_file = /chemin/vers/votre/cléprivée.key

#directive for TLS
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# activate TLS
smtpd_tls_security_level = may	

# recommanded for logs
smtpd_tls_loglevel = 1

# recommanded for having TLS trace in headers
smtpd_tls_received_header = yes

# directive for ciphers
smtpd_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
smtpd_tls_mandatory_ciphers = high
  2. For the email sending part (SMTP client): 
    #activate TLS if necessary
smtp_tls_security_level = may

#directive for TLS
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# recommanded for logs
smtp_tls_loglevel = 1

# directive for ciphers
smtp_tls_exclude_ciphers = NULL, aNULL, RC4, 3DES, eNULL, DHE_EXPORT
smtp_tls_mandatory_ciphers = medium
You will then have to edit the master.cf to make sure that the following instruction is well uncommented: 
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
If your configuration is standard you can stop here. For an advanced configuration, we recommend :
  • To download, with OpenSSL, our trust authorities archive to be install in /etc/postfix/tbs-trusted-roots/

  • Add the following lines to include certificates from other servers or users: 
    smtpd_tls_CAfile = /etc/postfix/tbs-trusted-roots/clientca.txt
smtp_tls_CAfile = /etc/postfix/tbs-trusted-roots/allroots.txt
  • If you want to force the encryption between 2 domains (for example intra-company or with partners), add partners, add: 
    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
    And create the file /etc/postfix/tls_policy as: 
    [127.0.0.1]             none
[127.0.0.1]:10024       none
tbs-internet.com       encrypt
    Here you can precise which domains should use encryption. Do not forget the command postmap tls_policy to compile the postfix file. See smtp_tls_policy_maps documentation

Useful links