Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

This is a HOWTO for using postfix smtp with TLS/SSL support for securely
encrypting all outbound emails if client supported

generate a new CA with the command -newca

generate new certificate with the command: -newreq (this contains the private key)
does not ask passphrase if was edited correctly.

sign the certificate with -signreq
(asks the password supplied for the CA)

you make also -pkcs12 "Certificate for"

(but I do not understand what this is for... maybe is used to import certificate into Netscape... you will be asked for the
export password, set it differently from the CA password.

At this point you have all you need to start postfix with TLS.

Time to move the certs into /etc/postfix (or elsewhere if you already have a spot you want them) and make additions to the

cp ./demoCA/cacert.pem to /etc/postfix/CAcert.pem

cp newcert.pem to /etc/postfix/cert.pem

cp newreq.pem into /etc/postfix/key.pem

chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem

edit inserting the following setup options into it.

smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_loglevel = 2 
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_tls_session_cache_timeout = 360s
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtp_tls_loglevel = 2
smtp_tls_session_cache_timeout = 360s
smtp_use_tls = yes
smtp_enforce_tls = no


postfix reload



1. Use 'openssl rsa -in key.pem -text' to get a printout of the private key.
2. remove a passphrase using openssl rsa -in key.pem -out key_unprot.pem

then rename key_unprot.pem to key.pem in the same directory as your copied it to from earlier.

(credit to Lutz's howto for this on becoming your own CA).

I've read in threads somewhere on a issue concerning the following errors:
The above 1. and 2. will fix these errors, by removing the passphrasees from the key.pem thus getting rid of the errors below concerning the problems getting password, bad password etc.. hope this works for you it did for me.

postfix/smtpd[48805]: starting TLS engine
postfix/smtpd[48805]: unable to get private key from '/etc/postfix/key.pem'
postfix/smtpd[48805]: 48805:error:0906406D:PEM
routines:DEF_CALLBACK:problems getting
postfix/smtpd[48805]: 48805:error:0906A068:PEM
routines:PEM_do_header:bad password
postfix/smtpd[48805]: 48805:error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:missing asn1
postfix/smtpd[48805]: TLS engine: cannot load RSA cert/key data


(credits due to a few anonymous readme's on the net which were a bit unexplained in detail and extremely hard to understand due to bad use of english ;).. i cant seem to find them again but if you google you should be able to find them and compare relation to the top of my article and see the differences in detail) this is just to make it alot more readable and helpfull if you wrote the others and see this please email me for an update of this article and for your credit where its deserved.

p.s - any thing you think i may have missed please email me, some things i think are trivial, i may miss putting in articles. If you discover something of that nature that should be here, please let me know for an update. This article already depends on you have a basic knoweldge of postfix and tls/ssl in general with OpenSSL.

Didjital One

© 1997 - 20013 Defcon1, , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of and the content's original author.

Tool-Bar-2Defcon1  Webmail