generate a new CA with the command CA.pl -newca
generate new certificate with the command: CA.pl -newreq (this contains the private key) does not ask passphrase if CA.pl was edited correctly.
sign the certificate with CA.pl -signreq (asks the password supplied for the CA)
you make also CA.pl -pkcs12 "Certificate for mail.server.com"
(but I do not understand what this is for... maybe is used to import certificate into Netscape... you will be asked for the export password, set it differently from the CA password.
At this point you have all you need to start postfix with TLS.
Time to move the certs into /etc/postfix (or elsewhere if you already have a spot you want them) and make additions to the postfix main.cf.
cp ./demoCA/cacert.pem to /etc/postfix/CAcert.pem
cp newcert.pem to /etc/postfix/cert.pem
cp newreq.pem into /etc/postfix/key.pem
chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem
edit main.cf inserting the following setup options into it.
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem smtp_tls_CAfile = /etc/postfix/CAcert.pem smtpd_tls_loglevel = 2 smtpd_use_tls = yes smtpd_enforce_tls = no smtpd_tls_session_cache_timeout = 360s
smtp_tls_cert_file = /etc/postfix/cert.pem smtp_tls_key_file = /etc/postfix/key.pem smtp_tls_CAfile = /etc/postfix/CAcert.pem smtp_tls_loglevel = 2 smtp_tls_session_cache_timeout = 360s
smtp_use_tls = yes smtp_enforce_tls = no
save main.cf
postfix reload
---------------------------------------------------------------------------
READ BELOW IF YOU RECIEVE THOSE
ERRORS SHOW, DO WHATS BELOW THIS LINE
1. Use 'openssl rsa -in key.pem -text' to get a printout of the private key. 2. remove a passphrase using openssl rsa -in key.pem -out key_unprot.pem
then
rename key_unprot.pem to key.pem in the same directory as your copied it to from earlier.
(credit to Lutz's howto for this on becoming your own CA).
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/myownca.html
I've read in threads somewhere on a issue concerning the following errors: The above 1. and 2. will fix these errors, by removing
the passphrasees from the key.pem thus getting rid of the errors below concerning the problems getting password, bad password etc.. hope this works for you it did for me.
postfix/smtpd[48805]: starting TLS engine postfix/smtpd[48805]: unable to get private key from '/etc/postfix/key.pem' postfix/smtpd[48805]: 48805:error:0906406D:PEM routines:DEF_CALLBACK:problems getting
password:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:114: postfix/smtpd[48805]: 48805:error:0906A068:PEM routines:PEM_do_header:bad password
read:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:430: postfix/smtpd[48805]: 48805:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:missing asn1
eos:/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto/../ssl/ssl_rsa.c:707: postfix/smtpd[48805]: TLS engine: cannot load RSA cert/key data
Done.
(credits due to a few anonymous readme's on the net which were a bit unexplained in detail and extremely hard to understand due to bad use of english ;).. i cant seem to find them again but if you google you
should be able to find them and compare relation to the top of my article and see the differences in detail) this is just to make it alot more readable and helpfull if you wrote the others and see this please
email me for an update of this article and for your credit where its deserved.
p.s - any thing you think i may have missed please email me, some things i think are trivial, i may miss putting in
articles. If you discover something of that nature that should be here, please let me know for an update. This article already depends on you have a basic knoweldge of
postfix and tls/ssl in general with OpenSSL.
Didjital One (didjital1@ePIMP.com )
|