Ĩesky | english
Postfix-TLS/Cyrus-SSL Configuration
This page show you how to configure Postfix with TLS support to use a Certficate. This example was used on a Debian System, but should be similar for most other systems.
Generate Local Server-side Certificate
You will need to generate a certificate, eg:
cd /etc/ssl/private openssl req -nodes -new -keyout server.key -out server.csr
and supplying the values at the prompt.
NB! Make sure all your MX records in DNS points to this host using same hostname, otherwise you might have issues and will need to generate certificates with multiple hostnames, please have a look at VhostTaskForce (especially the scripts at the bottom) for more information about this.
Generate CACert Certificate
Paste the contents of the server.csr file into the CAcert website, you will need to verify your domains before hand etc. Then when you are shown/sent your certificate open /etc/ssl/certs/server.crt and paste the contents into that file.
Currently (20051021) the radiobutton is ignored so a class1 cert is always generated, even if requesting class3. This is possibly the cause of problems experienced with openssl treating the CAcert class1 root cert as self-signed -- JonasSmedegaard 2005-10-21 02:17:14
This comment seems no longer accurate. I requested a class3 cert and received it. -- ChrisSutton 2008-07-26 22:26:49
Update Postfix configuration files
For split-file configuration, edit the file /etc/postfix/main.cf and uncomment or add the following to the bottom:
### Transport Layer Security ### # Server side TLS smtpd_use_tls = yes # private key file smtpd_tls_key_file = /etc/ssl/private/server.key # key you generated at cacert.org smtpd_tls_cert_file = /etc/ssl/certs/server.crt # CAcert class3 Root Key from http://www.cacert.org/certs/class3.crt smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s # Client side TLS smtp_use_tls = yes # private key file smtp_tls_key_file = /etc/ssl/private/server.key # key you generated at cacert.org smtp_tls_cert_file = /etc/ssl/certs/server.crt # CAcert class3 Root Key from http://www.cacert.org/certs/class3.crt smtp_tls_CAfile = /etc/ssl/certs/cacert.crt # Misc TLS tls_random_source = dev:/dev/urandom
In /etc/imapd.conf
tls_cert_file: /etc/ssl/certs/server.crt tls_key_file: /etc/ssl/private/server.key
Then, activate the changes by:
/etc/init.d/postfix restart /etc/init.d/cyrus restart
Reference
Following help information taken from the CAcert website and UK Indymedia doc site: http://www.CAcert.org/help.php http://docs.indymedia.org/view/Sysadmin/CaCertSsl
Alternatively you can find more information here:
Postfix SSL Configuration Postfix TLS with free CAcert.org certificates
There is a document here on building and installing a Postfix RPM on Fedora and setting up a CAcert certificate: http://wiki.slugbug.org.uk/Postfix_TLS
http://www.credentia.cc/certs/howto/postfix.html describes the steps necessary to enable certificate verification against a CA such as CAcert.