Postfix-TLS/Cyrus-SSL Configuration

This page show you how to configure Postfix with TLS support to use a Certficate. This example was used on a Debian System, but should be similar for most other systems.

Generate Local Server-side Certificate

You will need to generate a certificate, eg:

cd /etc/ssl/private
openssl req -nodes -new -keyout server.key -out server.csr

and supplying the values at the prompt.

(!) NB! Make sure all your MX records in DNS points to this host using same hostname, otherwise you might have issues and will need to generate certificates with multiple hostnames, please have a look at VhostTaskForce (especially the scripts at the bottom) for more information about this.

Generate CACert Certificate

Paste the contents of the server.csr file into the CAcert website, you will need to verify your domains before hand etc. Then when you are shown/sent your certificate open /etc/ssl/certs/server.crt and paste the contents into that file.

/!\ Currently (20051021) the radiobutton is ignored so a class1 cert is always generated, even if requesting class3. This is possibly the cause of problems experienced with openssl treating the CAcert class1 root cert as self-signed -- JonasSmedegaard DateTime(2005-10-21T02:17:14Z)

Update Postfix configuration files

For split-file configuration, edit the file /etc/postfix/main.cf and uncomment or add the following to the bottom:

### Transport Layer Security ###
# Server side TLS
smtpd_use_tls = yes
# private key file
smtp_tls_key_file = /etc/ssl/private/server.key
# key you generated at cacert.org
smtp_tls_cert_file = /etc/ssl/certs/server.crt
# CAcert class3 Root Key from http://www.cacert.org/certs/class3.crt
smtp_tls_CAfile = /etc/ssl/certs/cacert.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s


# Client side TLS
smtp_use_tls = yes
# private key file
smtp_tls_key_file = /etc/ssl/private/server.key
# key you generated at cacert.org
smtp_tls_cert_file = /etc/ssl/certs/server.crt
# CAcert class3 Root Key from http://www.cacert.org/certs/class3.crt
smtp_tls_CAfile = /etc/ssl/certs/cacert.crt
# Misc TLS
tls_random_source = dev:/dev/urandom

In /etc/imapd.conf

tls_cert_file: /etc/ssl/certs/server.crt
tls_key_file: /etc/ssl/private/server.key

Then, activate the changes by:

/etc/init.d/postfix restart
/etc/init.d/cyrus restart

Reference

Following help information taken from the CAcert website and UK Indymedia doc site: http://www.CAcert.org/help.php http://docs.indymedia.org/view/Sysadmin/CaCertSsl

Alternatively you can find more information here:

[http://www.projektfarm.com/en/support/howto/postfix_smtp_auth_tls.html Postfix SSL Configuration] [http://www.iki.fi/petri.koistinen/postfix/postfix-tls-cacert.shtml Postfix TLS with free CAcert.org certificates]

There is a document here on building and installing a Postfix RPM on Fedora and setting up a CAcert certificate: http://wiki.slugbug.org.uk/Postfix_TLS

http://www.credentia.cc/certs/howto/postfix.html describes the steps necessary to enable certificate verification against a CA such as CAcert.