Postfix-TLS/Cyrus-SSL Configuration

This page show you how to configure Postfix with TLS support to use a Certficate. This example was used on a Debian System, but should be similar for most other systems.

Generate Local Server-side Certificate

You will need to generate a certificate, eg:

cd /etc/ssl/private
openssl req -nodes -new -keyout server.key -out server.csr

and supplying the values at the prompt.

Generate CACert Certificate

Paste the contents of the server.csr file into the CAcert website, you will need to verify your domains before hand etc. Then when you are shown/sent your certificate open /etc/ssl/certs/server.crt and paste the contents into that file.

Update Postfix configuration files

For split-file configuration, edit the file /etc/postfix/main.cf and uncomment or add the following to the bottom:

### Transport Layer Security ###

# Server side TLS
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s

# Client side TLS
smtp_use_tls = yes
smtp_tls_key_file = /etc/ssl/private/server.key
smtp_tls_cert_file = /etc/ssl/certs/server.crt
smtp_tls_CAfile = /etc/ssl/certs/cacert.crt

# Misc TLS
tls_random_source = dev:/dev/urandom

In /etc/imapd.conf

tls_cert_file: /etc/ssl/certs/server.crt
tls_key_file: /etc/ssl/private/server.key

Then, activate the changes by:

/etc/init.d/postfix restart
/etc/init.d/cyrus restart

Reference

Following help information taken from the CAcert website and UK Indymedia doc site: http://www.CAcert.org/help.php http://docs.indymedia.org/view/Sysadmin/CaCertSsl