Defcon1-Header
Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

This is a HOWTO for using postfix smtp with TLS/SSL support for securely
encrypting all outbound emails if client supported

generate a new CA with the command CA.pl -newca

generate new certificate with the command:
CA.pl -newreq (this contains the private key)
does not ask passphrase if CA.pl was edited correctly.

sign the certificate with CA.pl -signreq
(asks the password supplied for the CA)

you make also CA.pl -pkcs12 "Certificate for mail.server.com"

(but I do not understand what this is for... maybe is used to import certificate into Netscape... you will be asked for the
export password, set it differently from the CA password.

At this point you have all you need to start postfix with TLS.

Time to move the certs into /etc/postfix (or elsewhere if you already have a spot you want them) and make additions to the
postfix main.cf.

cp ./demoCA/cacert.pem to /etc/postfix/CAcert.pem

cp newcert.pem to /etc/postfix/cert.pem

cp newreq.pem into /etc/postfix/key.pem

chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem

edit main.cf inserting the following setup options into it.

smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_loglevel = 2 
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_tls_session_cache_timeout = 360s
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtp_tls_loglevel = 2
smtp_tls_session_cache_timeout = 360s
smtp_use_tls = yes
smtp_enforce_tls = no

save main.cf

postfix reload

---------------------------------------------------------------------------

READ BELOW IF YOU RECIEVE THOSE ERRORS SHOW, DO WHATS BELOW THIS LINE

1. Use 'openssl rsa -in key.pem -text' to get a printout of the private key.
2. remove a passphrase using openssl rsa -in key.pem -out key_unprot.pem

then rename key_unprot.pem to key.pem in the same directory as your copied it to from earlier.

(credit to Lutz's howto for this on becoming your own CA).
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/myownca.html

I've read in threads somewhere on a issue concerning the following errors:
The above 1. and 2. will fix these errors, by removing the passphrasees from the key.pem thus getting rid of the errors below concerning the problems getting password, bad password etc.. hope this works for you it did for me.

postfix/smtpd[48805]: starting TLS engine
postfix/smtpd[48805]: unable to get private key from '/etc/postfix/key.pem'
postfix/smtpd[48805]: 48805:error:0906406D:PEM
routines:DEF_CALLBACK:problems getting
password:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:114:
postfix/smtpd[48805]: 48805:error:0906A068:PEM
routines:PEM_do_header:bad password
read:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:430:
postfix/smtpd[48805]: 48805:error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:missing asn1
eos:/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto/../ssl/ssl_rsa.c:707:
postfix/smtpd[48805]: TLS engine: cannot load RSA cert/key data

Done.

(credits due to a few anonymous readme's on the net which were a bit unexplained in detail and extremely hard to understand due to bad use of english ;).. i cant seem to find them again but if you google you should be able to find them and compare relation to the top of my article and see the differences in detail) this is just to make it alot more readable and helpfull if you wrote the others and see this please email me for an update of this article and for your credit where its deserved.

p.s - any thing you think i may have missed please email me, some things i think are trivial, i may miss putting in articles. If you discover something of that nature that should be here, please let me know for an update. This article already depends on you have a basic knoweldge of postfix and tls/ssl in general with OpenSSL.

Didjital One

© 1997 - 20013 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.

Defcon1-Header2
Tool-Bar-2Defcon1  Webmail