Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Postfix Documentation
Previous Page Home Next Page

Getting started, quick and dirty

The following steps will get you started quickly. Because you sign your own Postfix public key certificate, you get TLS encryption but no TLS authentication. This is sufficient for testing, and for exchanging email with sites that you have no trust relationship with. For real authentication, your Postfix public key certificate needs to be signed by a recognized Certificate Authority, and Postfix needs to be configured with a list of public key certificates of Certificate Authorities, so that Postfix can verify the public key certificates of remote hosts.

In the examples below, user input is shown in bold font, and a "#" prompt indicates a super-user shell.

  • Become your own Certificate Authority, so that you can sign your own public keys. This example uses the CA.pl script that ships with OpenSSL. By default, OpenSSL installs this as /usr/local/ssl/misc/CA.pl, but your mileage may vary. The script creates a private key in ./demoCA/private/cakey.pem and a public key in ./demoCA/cacert.pem.

    % /usr/local/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
....................++++++
.....++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:whatever

  • Create an unpassworded private key for host FOO and create an unsigned public key certificate. 

    % openssl req -new -nodes -keyout FOO-key.pem -out FOO-req.pem -days 365
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
........................................++++++
....++++++
writing new private key to 'FOO-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Westchester
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Porcupine
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:FOO
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:whatever
An optional company name []:

  • Sign the public key certificate for host FOO with the Certification Authority private key that we created a few steps ago. 

    % openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:whatever
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'New York'
localityName          :PRINTABLE:'Westchester'
organizationName      :PRINTABLE:'Porcupine'
commonName            :PRINTABLE:'FOO'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Nov 21 19:40:56 2005 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

  • Install the host private key, the host public key certificate, and the Certification Authority certificate files. This requires super-user privileges. 

    # cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
# chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
# chmod 400 /etc/postfix/FOO-key.pem

  • Configure Postfix, by adding the following to /etc/postfix/ main.cf . It is generally best to not configure client certificates, unless there are servers which authenticate your mail submission via client certificates. Often servers that perform TLS client authentication will issue the required certificates signed by their own CA. If you configure the client certificate and key incorrectly, you will be unable to send mail to sites that request client certificate, but don't require them from all clients. 

    /etc/postfix/
main.cf:
    
smtp_tls_CAfile = /etc/postfix/cacert.pem
    
smtp_tls_session_cache_database =
	btree:/var/spool/postfix/smtp_tls_session_cache
    
smtp_use_tls = yes
    
smtpd_tls_CAfile = /etc/postfix/cacert.pem
    
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
    
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
    
smtpd_tls_received_header = yes
    
smtpd_tls_session_cache_database =
	btree:/var/spool/postfix/smtpd_tls_session_cache
    
tls_random_source = dev:/dev/urandom
    # Postfix 2.3 and later
    
smtpd_tls_security_level = may
    # Obsolete, but still supported
    
smtpd_use_tls = yes
Postfix Documentation
Previous Page Home Next Page