Getting a Signed Certificate

In order to have TLS support for Postfix you need to setup several files.

First of all, you create a certificate and get it signed by GoDaddy. They have instructions for that purpose. At this time, it looks something like this:

openssl req -new -newkey rsa:2048 -nodes \
            -keyout domain.key -out domain.csr

The names "domain.key/csr" should match your domain name. If you are signing a specific sub-domain, you may want to include that sub-domain in the filename (i.e. mail.domain.key.)

When GoDaddy returns to you, they will give you a zip file with two files:

gd_bundle.crt
domain.com.crt

Setting Up Postfix

The Postfix installation requires a few flags to get things to work on that end. Something like this should work on Ubuntu. You may want to read the documentation about each one of these options before using them.

smtp_tls_loglevel = 0
smtpd_use_tls = yes
#smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem -- not required
smtpd_tls_cert_file = /etc/postfix/tls/server.pem
smtpd_tls_key_file = /etc/postfix/tls/key.pem
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Create the TLS Folder

When creating the /etc/postfix/tls folder, you want to make sure that it is secure so everyone doesn't have access to your certificate, especially the private key which has to remain secret.

First create the folder then change the ownership and who can access the folder:

cd /etc/postfix
sudo mkdir tls
sudo chown root:root tls
sudo chmod 700 tls

Note that after that you have to be root to deal with the files inside the tls folder. You may hold on the chown and chmod commands until you are done with the setup and ready to restart postfix and courier.

You can become root with the following if you would prefer to directly work as root:

sudo su -

Just be very careful when you are root you can destroy everything in your system.

Create the PEM Files

Private Key

The key.pem file is your private key. The private key starts with the line:

-----BEGIN RSA PRIVATE KEY-----

You can copy that file in the tls folder as is.

Public Key and Bundle

The server.pem file is a concatenation of the signed public key and GoDaddy bundle. This means:

cat domain.com.crt gd_bundle.crt >server.pem

The .crt file is a public key so it starts with:

-----BEGIN CERTIFICATE-----

The bundle helps the postfix system to find all the necessary certificates used for the chain signatures.

IMAP3 Keys

Once you have that done, you can create the necessary .pem files for courier. We only use IMAP3 and POP3, but I would imadigine that the SMTP file is the same. Those files include all the certificates and keys. All in one.

cp /etc/courier/
cat domain.key domain.com.crt gd_bundle.crt >imapd.pem
cp imapd.pem pop3d.pem

Notice that we use the exact same file for both IMAP3 and POP3.

Also the imapd.pem file includes the private key, public key, and GoDaddy's bundle. All three in the same file. The delimiters are enough for the courier's code to determine what's what.

Restart the Services

You have to restart postfix and courier so the new files are taken in account:

service postfix restart
service courier-imap-ssl restart
service courier-pop-ssl restart

Now it should work. Good luck, you'll probably need it.