Use this howto / tutorial to if you need, to create self-signed SSL certificates on Cent OS / Redhat linux (RHEL 4/5)

Goto /tmp dir

Code:
cd /tmp
mkdir config
cd config
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cat /usr/share/ssl/openssl.cnf | sed -e 's/\.\/demoCA/\./' > openssl.cnf

Create a NEW CA
Code:
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
Cert sign request
Code:
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
Sign out certificate
Code:
openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
Now copy cert
Code:
cp cacert.pem /usr/share/ssl/certs
grep -B 100 "END RSA PRIVATE KEY" newreq.pem > /usr/share/ssl/certs/key.pem
chmod 400 /usr/share/ssl/certs/key.pem
cp newcert.pem /usr/share/ssl/certs/cert.pem
Open /etc/postfix/main.cf and append or modify config as follows:
Code:
#### SASL bits ####
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options=noanonymous

## The following allows anyone who is in mynetworks, or anyone who can authenticate, to send mail through this server
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes

## this is necessary for some email clients
broken_sasl_auth_clients = yes

#### TLS bits ####
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes

## Location of key, cert and CA-cert.
## These files need to be generated using openssl

smtpd_tls_key_file = /usr/share/ssl/certs/key.pem
smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem
smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
tls_smtp_use_tls = yes
ipv6_version = 1.25
Make sure you have cyrus-sasl installed
Code:
yum install cyrus-sasl
OR
Code:
up2date cyrus-sasl dovecot
Open /etc/dovecot.conf and enable secure impa and pop3

Create user for each mail user:
Code:
saslpasswd2 -c rocky
Allow postfix to read cyrus-sasl password file
Code:
chown :postfix /etc/sasldb2
Make sure /usr/lib/sasl2/smtpd.conf looks like as follows:
Code:
pwcheck_method: auxprop
Restart postfix and cyrus:
Code:
/etc/init.d/saslauthd restart
/etc/init.d/postfix restart
/etc/init.d/dovecot restart
Run ntsysv and enable all services upon boot
Code:
ntsysv
Test everything is working
Code:
telnet server-ip 25
telnet server-ip 143
telnet server-ip 110
netstat -tulp
Make sure all mail ports are open from iptables as well open /etc/sysconfig/iptables:
Code:
/etc/init.d/iptables save
vi /etc/sysconfig/iptables
Add rules that allows incomming port 25,143,110
Code:
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 143 -j ACCEPT
Make sure you make changes as per your setup.
Code:
/etc/init.d/iptables restart