Email

Enable SSL/TLS in amavis for secure connections

Markus Kolb

1 min read
Enable SSL/TLS in amavis for secure connections

If you have a multi-host email server setup or you won't trust all admin users, you should connect the TCP sockets of amavis encrypted with TLS.
Or else people could sniff the email content transmitted from/to SMTP server to/from Amavis over the network.

Amavis needs some additional perl modules to support this. It should be ok to simply add module IO::Socket::SSL (and dependency Net::SSLeay).

In your amavisd.conf you need to set paths to cert and key, which could be done globally or per policy bank.

$tls_security_level_in = 'encrypt'; # none, may, encrypt, ...
$tls_security_level_out = 'encrypt'; # none, may, encrypt, ...
$smtpd_tls_server_options{SSL_cert_file} = "/etc/ssl/.../cert.pem";
$smtpd_tls_server_options{SSL_key_file} = "/etc/ssl/.../key.pem";

Because you'd like to use always encryption just enable it in and out.

By default the smtp client of amavis is configured to verify the server cert.
This can be overwritten by different client_options. See ssl options of IO-Socket-SSL.

The server hostname of the cert the amavis client connects to, could be overwritten with

$smtp_tls_client_options{SSL_verifycn_name} = 'name...';

Just for tests you may disable the verification completely...
But be warned: It is possible the encryption is not done between smtp-server and amavis, but there is another Man-in-The-Middle who is reponsible for the encryption and might be enabled to decipher the content.

$smtp_tls_client_options{SSL_verify_mode} = 0;

From openssl-source this means:

# define SSL_VERIFY_NONE                 0x00
# define SSL_VERIFY_PEER                 0x01
...