#format rst ## 20200111 AK ================================== Postfix certificate verify howto ================================== :Version: 0.8 :Author: maxigas*anargeek.net :Update: 2010.03.15 **Warning: Beta version, needs peer review and further testing. It seems to work for me, nontheless.** How to connect two Postfix servers running on Debian systems to send mails between themselves through SSL with verifying the certificates that were issues by a certificate authority (here cacert.org)? Note: you need to know basic unix commands and get around a text editor like nano / emacs / vi (I use emacs but I wrote nano in the instructions below because that is the most user friendly). 0. Documentation: The basis of this howto is the postfix and cacert IRC channels, Postfix documentation, forums and lists. Special thanks to Dan. - `Postfix TLS readme`_ (part of postfix package, locally available at /usr/share/doc/postfix/TLS_README.gz) - `CAcert wiki: Postfix-TLS/Cyrus-SSL Configuration`_ (uses some deprecitated Postfix syntax) - `Postfix TLS with free CAcert.org certificates`_ .. _`Postfix TLS readme`: http://www.postfix.org/TLS_README.html .. _`CAcert wiki: Postfix-TLS/Cyrus-SSL Configuration`: http://wiki.cacert.org/PostfixConfiguration .. _`Postfix TLS with free CAcert.org certificates`: http://www.iki.fi/petri.koistinen/postfix/postfix-tls-cacert.shtml 1. Check DNS records: MX records have to be set, for example mail.example1.org mail.example2.org 2. Install and configure postfix: :: apt-get install postfix nano /etc/postfix/main.cf Follow `Basic Configuration`_ guide of the Postfix documentation. .. _`Basic Configuration`: http://www.postfix.org/BASIC_CONFIGURATION_README.html Send mail from test@example1.org to test@example2.org, and vica versa. Save mail headers for future reference. The certificate part is similar to this: :: Received: from example1.org (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) 3. Get certificates from cacert.org: - Go to http://cacert.org/ and click "Join", follow the instructions. - Now you can log in with "Password login" (for example). - Now you can add a new domain with "New" from "Domains". - Now you can add a server certificate for your domain with "New" from "Server cerificates". - This last one will ask you for a CSR_. Don't worry, it's easy to make one, here is how: :: cd ~ wget http://svn.cacert.org/CAcert/Software/CSRGenerator/csr sh csr It will ask you a few questions. Here is one example for configuring mail.example1.org: :: Private Key and Certificate Signing Request Generator This script was designed to suit the request format needed by the CAcert Certificate Authority. www.CAcert.org Short Hostname (ie. imap big_srv www2): example1 FQDN/CommonName (ie. www.example1.tld) : example1.tld Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish SubjectAltName: DNS:mail.example1.org SubjectAltName: DNS: Running OpenSSL... Generating a 2048 bit RSA private key ........................................................+++ ................................................+++ writing new private key to '/root/example1_privatekey.pem' ----- Copy the following Certificate Request and paste into CAcert website to obtain a Certificate. When you receive your certificate, you 'should' name it something like example1_server.pem -----BEGIN CERTIFICATE REQUEST----- MIIDBjCCAe4CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQClsXcoj86dyYlIe96khbZqYtyV03ak+teyClv5 80I46irKcYQx4CFiirTCuusiAwsDfnDyZvnrwoxaUkc5nkw4Tlmb1j/y91U8rusX Zu43rep8s0zs7aMx/q34TTCc5Mru8UQjbnj9aCX1DF+8cA0ayQMm1BOFv8nTFcjK SnI5NdxRKDyqeH3KUgfxgGkBVU4VFVRU9XKD/zprzj+hWFT+fsjF7yQm0ZXDXaJ+ 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG e+P7G/E2uE+lbzi41CSFgKAjw3E0l1x47NoVD6DADS5mYIatAgMBAAGggaowgacG CSqGSIb3DQEJDjGBmTCBljCBkwYDVR0RBIGLMIGIggtleGFtcGxlLm9yZ4IPd3d3 LmV4YW1wbGUub3Jngg9mb28uZXhhbXBsZS5vcmeCE3d3dy5mb28uZXhhbXBsZS5v cmeCD2Jhci5leGFtcGxlLm9yZ4ITd3d3LmJhci5leGFtcGxlLm9yZ4ILZXhhbXBs ZS5iYXKCD3d3dy5leGFtcGxlLmJhcjANBgkqhkiG9w0BAQQFAAOCAQEAHFiUDgVc lDGoq+2kLmQxKtYagc37sugw4OoutILxrXF0zJUSplF4Aco/KhBcSLQUpsW5u11Q tcxj4DqXrxsoZuawATKTGQXDaAxL/ud2FsXyhe2FC1h0id2cH12GsnDSziuFCM+t rz05dqnW6mZR5OHILlYPoIPNqk3tbkIyOs4GplL9PZLNjSKJ3oeXJXn1iSI6oegB dBJQMByDZsh7Xd/d1OFJMQq3TFMqmLEXErkXQnOmzBN375AHGYGZwozhVPjhfFZ1 74AvmxOe17+OLm1j10EA9J/5jLzIgK0vs7HgK0131S/JAV4Ik9JccAWByGlxeuVb 4Kf5vAucZZVe7g== -----END CERTIFICATE REQUEST----- The Certificate request is also available in /root/example1_csr.pem The Private Key is stored in /root/example1_privatekey.pem - Paste this part from the above results into the cacert website asking for the CSR: :: -----BEGIN CERTIFICATE REQUEST----- MIIDBjCCAe4CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQClsXcoj86dyYlIe96khbZqYtyV03ak+teyClv5 80I46irKcYQx4CFiirTCuusiAwsDfnDyZvnrwoxaUkc5nkw4Tlmb1j/y91U8rusX Zu43rep8s0zs7aMx/q34TTCc5Mru8UQjbnj9aCX1DF+8cA0ayQMm1BOFv8nTFcjK SnI5NdxRKDyqeH3KUgfxgGkBVU4VFVRU9XKD/zprzj+hWFT+fsjF7yQm0ZXDXaJ+ 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG e+P7G/E2uE+lbzi41CSFgKAjw3E0l1x47NoVD6DADS5mYIatAgMBAAGggaowgacG CSqGSIb3DQEJDjGBmTCBljCBkwYDVR0RBIGLMIGIggtleGFtcGxlLm9yZ4IPd3d3 LmV4YW1wbGUub3Jngg9mb28uZXhhbXBsZS5vcmeCE3d3dy5mb28uZXhhbXBsZS5v cmeCD2Jhci5leGFtcGxlLm9yZ4ITd3d3LmJhci5leGFtcGxlLm9yZ4ILZXhhbXBs ZS5iYXKCD3d3dy5leGFtcGxlLmJhcjANBgkqhkiG9w0BAQQFAAOCAQEAHFiUDgVc lDGoq+2kLmQxKtYagc37sugw4OoutILxrXF0zJUSplF4Aco/KhBcSLQUpsW5u11Q tcxj4DqXrxsoZuawATKTGQXDaAxL/ud2FsXyhe2FC1h0id2cH12GsnDSziuFCM+t rz05dqnW6mZR5OHILlYPoIPNqk3tbkIyOs4GplL9PZLNjSKJ3oeXJXn1iSI6oegB dBJQMByDZsh7Xd/d1OFJMQq3TFMqmLEXErkXQnOmzBN375AHGYGZwozhVPjhfFZ1 74AvmxOe17+OLm1j10EA9J/5jLzIgK0vs7HgK0131S/JAV4Ik9JccAWByGlxeuVb 4Kf5vAucZZVe7g== -----END CERTIFICATE REQUEST----- - You will get another ASCII soup that you can paste into a file on your server: :: nano ~/example1_server.pem 4. Put the certificates in some suitable directories: :: cp -v ~/example1_privatekey.pem /etc/ssl/private/ cp -v ~/example1_server.pem /etc/ssl/certs/ Of course there are other options as well, some are even better than this, but for me that worked fine. 5. Install CAcert root certificate: :: apt-get install ca-certificates 6. Configure Postfix: Trying to create a certificate authority verified SMTP connection between two servers of course means that you have to configure *both servers*. If you want them both to send and receive mail from each other then the configuration is symmetric, so only one is described here, but don't forget to configure *both servers*. The snippets below refer to the configuration of server example1 to exchange mails with server example2.: :: nano /etc/postfix/main.cf a. Add section for **TLS configuration**: :: ### Transport Layer Security ### # Server side TLS smtpd_tls_security_level = may smtpd_tls_key_file = /etc/ssl/private/example1_privatekey.pem smtpd_tls_cert_file = /etc/ssl/certs/example1_server.pem smtpd_tls_CAfile = /usr/share/ca-certificates/cacert.org/root_X0F.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_ask_ccert = yes # Client side TLS smtp_tls_security_level = may smtp_tls_key_file = $smtpd_tls_key_file smtp_tls_cert_file = $smtpd_tls_cert_file smtp_tls_CAfile = $smtpd_tls_CAfile # Misc TLS tls_random_source = dev:/dev/urandom b. Create a **policy map**. Policy maps only work in Postfix 2.2 and above, so check version: :: postconf | grep version Lower versions use another system, check the Postfix documentation or rather update your software base! Create / edit a file with the policy and hash it for quicker processing: :: echo "example2.tld verify" >> /etc/postfix/tls_policy echo ".example2.tld verify" >> /etc/postfix/tls_policy postmap /etc/postfix/tls_policy Run postmap on the file each time you edit it. Add the policy map to the postfix configuration: :: echo "smtp_tls_policy_maps = hash:/etc/postfix/tls_policy" >> /etc/postfix/main.cf Now reload the postfix configuration: :: /etc/init.d/postfix reload 7. Test configuration: :: openssl s_client -connect mail.example1.hu:25 -starttls smtp | openssl x509 -noout -text openssl s_client -connect mail.example2.hu:25 -starttls smtp | openssl x509 -noout -text These commands are useful for debugging, for example to see what certificates the servers offer (if any). Finally, try to send a mail from test@example1.org to test@example2.org. Headers should have similar: :: Received: from example1.org (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "example1.org", Issuer "CA Cert Signing Authority" (verified OK)) Note: only the hops between the two servers should have these lines. 8. Debug Postfix configuration: Send mail from test@example1.org to test@example2.org and vica versa: - The headers of the email if it arrives. - Error messages that you get in email. - Continually watch the postfix logs on the two servers (especially the sending one): :: tail -f /var/log/mail.log Not sure if it is a simple TLS problem or a certificate problem? Temporarily change "verify" to "encrypt" in your policy map, rehash, reload and try again: :: rpl verify encrypt /etc/postfix/tls_policy postmap /etc/postfix/tls_policy /etc/init.d/postfix reload Now the certificate verification is turned off and you can test your configuration without it. .. _CSR: http://wiki.cacert.org/CSR