STARTTLS

incoming mail on tcp port 25

Contents

Create a new self-signed certificate
Configure smtpd
Firewall
Testing

Create a new self-signed certificate

openssl req -new -x509 -nodes -out mail.example.com.crt -keyout mail.example.com.key -days 1825 -newkey rsa:4096

Configure smtpd

postfix-2.6.6-6.el6_5.x86_64

vim /etc/postfix/main.cf

# ebal, Tue, 14 Oct 2014 20:43:12 +0300
# TLS support on 25 - incoming
smtpd_use_tls = yes
smtpd_starttls_timeout = 30s
smtpd_tls_cert_file = /certs/mail.example.com.crt
smtpd_tls_key_file = /certs/mail.example.com.key
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5
smtpd_tls_protocols = !SSLv2, !SSLv3

restart postfix

postfix stop
postfix start

Firewall

# iptables -nL | grep 25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25

Testing

https://starttls.info/