US flag signifying that this is a United States Federal Government website An official website of the United States government

Rotating Secrets VII - SMTP

Rotating Secrets VII - SMTP

This page is primarily for the team. It's public so that you can learn from it. For help using, see the user docs.


In order to send outbound mail there is a internal postfix mail relay. Postfix uses TLS certificates to secure the communications, and SASL to authenticate the mail clients.

Rotation requires a small amount of downtime while the service is deployed and restarted.

Rotate TLS Certificates

The following keys from the Postfix Deployment Pipeline can be rotated using the openssl command line:

  1. postfix_tls_cert:
  2. postfix_tls_key:
# Generate CA
openssl genrsa -out 2048
openssl req -x509 -new -nodes -key -days 365 -out \
-subj "/C=US/ST=DC/L=Washington/O=GSA/OU=TTS-18F/"

# Generate Certificate Private Key
openssl genrsa -out 2048

# Generate Certificate Signing Request
openssl req -new -key -out \
-subj "/C=US/ST=DC/L=Washington/O=GSA/OU=TTS-18F/"

openssl x509 -req -in -CA -CAkey \
-CAcreateserial -out -days 365

Rotate SASL Credentials

Rotate the SASL credentials from the Postfix Deployment Pipeline by generating a new password as needed and place under postfix_sasl_users:

openssl rand 48 -base64


Use the Troubleshooting SMTP guide to verify the new username, password and certificates work as expected.