generate a new CA with the command CA.pl -newca
generate new certificate with the command:
CA.pl -newreq (this contains the private key)
does not ask passphrase if CA.pl was edited correctly.
sign the certificate with CA.pl -signreq
(asks the password supplied for the CA)
you make also CA.pl -pkcs12 "Certificate for mail.server.com"
(but I do not understand what this is for... maybe is used to
import certificate into Netscape... you will be asked for the
export password, set it differently from the CA password.
At this point you have all you need to start postfix with TLS.
Time to move the certs into /etc/postfix (or elsewhere if you
already have a spot you want them) and make additions to the
postfix main.cf.
cp ./demoCA/cacert.pem to /etc/postfix/CAcert.pem
cp newcert.pem to /etc/postfix/cert.pem
cp newreq.pem into /etc/postfix/key.pem
chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem
edit main.cf inserting the following setup options into it.
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_loglevel = 2
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_tls_session_cache_timeout = 360s
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtp_tls_loglevel = 2
smtp_tls_session_cache_timeout = 360s
smtp_use_tls = yes
smtp_enforce_tls = no
save main.cf
postfix reload
---------------------------------------------------------------------------
READ BELOW IF YOU RECIEVE THOSE ERRORS SHOW, DO WHATS
BELOW THIS LINE
1. Use 'openssl rsa -in key.pem -text' to get a printout of the private key.
2. remove a passphrase using openssl rsa -in key.pem -out key_unprot.pem
then rename key_unprot.pem to key.pem in the same directory as your copied it to from earlier.
(credit to Lutz's howto for this on becoming your own CA).
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/myownca.html
I've read in threads somewhere on a issue concerning the following errors:
The above 1. and 2. will fix these errors, by removing the passphrasees from the key.pem thus getting rid of the errors below concerning the problems
getting password, bad password etc.. hope this works for you it did for me.
postfix/smtpd[48805]: starting TLS engine
postfix/smtpd[48805]: unable to get private key from '/etc/postfix/key.pem'
postfix/smtpd[48805]: 48805:error:0906406D:PEM
routines:DEF_CALLBACK:problems getting
password:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:114:
postfix/smtpd[48805]: 48805:error:0906A068:PEM
routines:PEM_do_header:bad password
read:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:430:
postfix/smtpd[48805]: 48805:error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:missing asn1
eos:/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto/../ssl/ssl_rsa.c:707:
postfix/smtpd[48805]: TLS engine: cannot load RSA cert/key data
Done.
(credits due to a few anonymous readme's on the net which were a bit
unexplained in detail and extremely hard to understand due to bad use
of english ;).. i cant seem to find them again but if you google you
should be able to find them and compare relation to the top of my article and see the
differences in detail) this is just to make it alot more
readable and helpfull if you wrote the others and see this please
email me for an update of this article and for your credit where its
deserved.
p.s - any thing you
think i may have missed please email me, some things i think are trivial, i may miss putting in articles. If you discover
something of that nature that should be here, please let me know for an
update. This article already depends on you have a basic knoweldge of
postfix and tls/ssl in general with OpenSSL.
Didjital One (didjital1@ePIMP.com )
This is a HOWTO for using postfix smtp with TLS/SSL support.
for securly encrypting all outbound emails if client supported
|
|
|
|
[Home] [FBSD Articles] [Scripts Corner] [Contribute] [Search] [FBSD Links] [Files]
About Us
FreeBSD Articles
*Hardware
*Networking
*Security
*Software
*X Windows
Forums
Defcon1 Forum
Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks
FreeBSD Links
Articles in other
Languages :
*French Articles
*Spanish Articles
Want to Help ?
Click Here
Email Users
This site cannot be duplicated without permission
© 1998 - 2008 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission
of www.defcon1.org and the content's original author.