nixCraft Linux Forum

nixCraft

Linux Tech Support Forum

Postfix mail server create self-signed SSL certificates on Cent OS / Redhat linux

This is a discussion on Postfix mail server create self-signed SSL certificates on Cent OS / Redhat linux within the Server configuration tutorials forums, part of the Mastering Linux category; Use this howto / tutorial to if you need, to create self-signed SSL certificates on Cent OS / Redhat linux (RHEL ...


Go Back   nixCraft Linux Forum > Mastering Linux > Server configuration tutorials

Postfix mail server create self-signed SSL certificates on Cent OS / Redhat linux Postfix mail server create self-signed SSL certificates on Cent OS / Redhat linux

Register FAQ Members List Calendar Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 06-15-2007, 06:21 PM
rockdalinux's Avatar
Contributors
User
  
Join Date: May 2005
Location: Bangalore
My distro: RHEL, HP-UX, Solaris, FreeBSD, Ubuntu
Posts: 521
rockdalinux is on a distinguished road
Default Postfix mail server create self-signed SSL certificates on Cent OS / Redhat linux
Use this howto / tutorial to if you need, to create self-signed SSL certificates on Cent OS / Redhat linux (RHEL 4/5)

Goto /tmp dir

Code:
cd /tmp
mkdir config
cd config
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cat /usr/share/ssl/openssl.cnf | sed -e 's/\.\/demoCA/\./' > openssl.cnf

Create a NEW CA
Code:
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
Cert sign request
Code:
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
Sign out certificate
Code:
openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
Now copy cert
Code:
cp cacert.pem /usr/share/ssl/certs
grep -B 100 "END RSA PRIVATE KEY" newreq.pem > /usr/share/ssl/certs/key.pem
chmod 400 /usr/share/ssl/certs/key.pem
cp newcert.pem /usr/share/ssl/certs/cert.pem
Open /etc/postfix/main.cf and append or modify config as follows:
Code:
#### SASL bits ####
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options=noanonymous

## The following allows anyone who is in mynetworks, or anyone who can authenticate, to send mail through this server
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes

## this is necessary for some email clients
broken_sasl_auth_clients = yes

#### TLS bits ####
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes

## Location of key, cert and CA-cert.
## These files need to be generated using openssl

smtpd_tls_key_file = /usr/share/ssl/certs/key.pem
smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem
smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
tls_smtp_use_tls = yes
ipv6_version = 1.25
Make sure you have cyrus-sasl installed
Code:
yum install cyrus-sasl
OR
Code:
up2date cyrus-sasl dovecot
Open /etc/dovecot.conf and enable secure impa and pop3

Create user for each mail user:
Code:
saslpasswd2 -c rocky
Allow postfix to read cyrus-sasl password file
Code:
chown :postfix /etc/sasldb2
Make sure /usr/lib/sasl2/smtpd.conf looks like as follows:
Code:
pwcheck_method: auxprop
Restart postfix and cyrus:
Code:
/etc/init.d/saslauthd restart
/etc/init.d/postfix restart
/etc/init.d/dovecot restart
Run ntsysv and enable all services upon boot
Code:
ntsysv
Test everything is working
Code:
telnet server-ip 25
telnet server-ip 143
telnet server-ip 110
netstat -tulp
Make sure all mail ports are open from iptables as well open /etc/sysconfig/iptables:
Code:
/etc/init.d/iptables save
vi /etc/sysconfig/iptables
Add rules that allows incomming port 25,143,110
Code:
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 143 -j ACCEPT
Make sure you make changes as per your setup.
Code:
/etc/init.d/iptables restart
__________________
Rocky Jr.
You may have my body & soul, but you will never touch my pride!

If you have knowledge, let others light their candles at it.

Certified to work on HP-UX / Sun Solaris / RedHat
Reply With Quote
Reply

Bookmarks

« Restrict number of simultaneous proxy connections in SQUID proxy | Enabling Audit logs using psacct »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads

Thread Thread Starter Forum Replies Last Post
Cent OS or Fedora for production server abspm24 CentOS / RHEL / Fedora 1 11-05-2007 08:01 PM
Postfix -- the Local and Internet Mail Server Scenario needee1 Mail Servers 0 10-17-2007 12:06 PM
Linux create self signed ssl certificate for Apache httpd server raj Server configuration tutorials 0 05-05-2007 01:23 AM
relays.ordb.org RBL for postfix mail server raj Mail Servers 1 01-11-2007 04:36 PM
regarding postfix mail server vishal Titre Linux software 2 09-28-2006 03:52 PM


All times are GMT +5.5. The time now is 12:45 AM.

Contact Us - Linux answers from nixCraft - Archive - Top

Powered by vBulletin® Version 3.7.2 - Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.1.0

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30