A site for solving at least some of your technical problems...
A site for solving at least some of your technical problems...
In order to have TLS support for Postfix you need to setup several files.
First of all, you create a certificate and get it signed by GoDaddy. They have instructions for that purpose. At this time, it looks something like this:
openssl req -new -newkey rsa:2048 -nodes \ -keyout domain.key -out domain.csr
The names "domain.key/csr" should match your domain name. If you are signing a specific sub-domain, you may want to include that sub-domain in the filename (i.e. mail.domain.key.)
When GoDaddy returns to you, they will give you a zip file with two files:
gd_bundle.crt domain.com.crt
The Postfix installation requires a few flags to get things to work on that end. Something like this should work on Ubuntu. You may want to read the documentation about each one of these options before using them.
smtp_tls_loglevel = 0 smtpd_use_tls = yes #smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem -- not required smtpd_tls_cert_file = /etc/postfix/tls/server.pem smtpd_tls_key_file = /etc/postfix/tls/key.pem smtpd_tls_auth_only = yes smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
When creating the /etc/postfix/tls folder, you want to make sure that it is secure so everyone doesn't have access to your certificate, especially the private key which has to remain secret.
First create the folder then change the ownership and who can access the folder:
cd /etc/postfix sudo mkdir tls sudo chown root:root tls sudo chmod 700 tls
Note that after that you have to be root to deal with the files inside the tls folder. You may hold on the chown and chmod commands until you are done with the setup and ready to restart postfix and courier.
You can become root with the following if you would prefer to directly work as root:
sudo su -
Just be very careful when you are root you can destroy everything in your system.
The key.pem file is your private key. The private key starts with the line:
-----BEGIN RSA PRIVATE KEY-----
You can copy that file in the tls folder as is.
The server.pem file is a concatenation of the signed public key and GoDaddy bundle. This means:
cat domain.com.crt gd_bundle.crt >server.pem
The .crt file is a public key so it starts with:
-----BEGIN CERTIFICATE-----
The bundle helps the postfix system to find all the necessary certificates used for the chain signatures.
Once you have that done, you can create the necessary .pem files for courier. We only use IMAP3 and POP3, but I would imadigine that the SMTP file is the same. Those files include all the certificates and keys. All in one.
cp /etc/courier/ cat domain.key domain.com.crt gd_bundle.crt >imapd.pem cp imapd.pem pop3d.pem
Notice that we use the exact same file for both IMAP3 and POP3.
Also the imapd.pem file includes the private key, public key, and GoDaddy's bundle. All three in the same file. The delimiters are enough for the courier's code to determine what's what.
You have to restart postfix and courier so the new files are taken in account:
service postfix restart service courier-imap-ssl restart service courier-pop-ssl restart
Now it should work. Good luck, you'll probably need it.
Recent Posts on The Linux Page:
Re: Setting up Postfix/Courier with a GoDaddy SSL certificate
Thank you for the write up. Great start but there are inconsistencies in the file names that you are using. Making perfect sense is a bit confusing to follow exactly.