<div dir="ltr">BTW, after restarting Postfix, test with... (I omitted stuff and put dots). You'll notice the <font face="courier new, monospace" color="#38761d">STARTTLS </font>message. You type the stuff in <font color="#cc0000">RED </font><font color="#000000">(the "ehlo" is not misspelled).</font><div>
<br></div><div><div><font face="courier new, monospace" color="#0b5394">you@yourmailsrvr:/etc/postfix/ssl$ </font><font face="courier new, monospace" color="#cc0000">telnet localhost 25</font></div><div><font face="courier new, monospace" color="#0b5394">Trying ::1...</font></div>
<div><font face="courier new, monospace" color="#0b5394">Connected to localhost.</font></div><div><font face="courier new, monospace" color="#0b5394">Escape character is '^]'.</font></div><div><font face="courier new, monospace" color="#0b5394">220 <a href="http://mail.herenotthere.com">mail.herenotthere.com</a> ESMTP</font></div>
<div><font face="courier new, monospace" color="#cc0000">ehlo <a href="http://yourdomain.com">yourdomain.com</a></font></div><div><font color="#0b5394" face="courier new, monospace">.</font></div><div><font color="#0b5394" face="courier new, monospace">.</font></div>
<div><font color="#0b5394" face="courier new, monospace">.</font></div><div><font face="courier new, monospace" color="#38761d"><b>250-STARTTLS</b></font></div><div><font color="#0b5394" face="courier new, monospace">.</font></div>
<div><font color="#0b5394" face="courier new, monospace">.</font></div><div><font color="#0b5394" face="courier new, monospace">.</font></div><div><font face="courier new, monospace" color="#cc0000">quit</font></div><div>
<font face="courier new, monospace" color="#0b5394">221 2.0.0 Bye</font></div><div><font face="courier new, monospace" color="#0b5394">Connection closed by foreign host.</font></div><div><font face="courier new, monospace" color="#0b5394">you@yourmailsrvr:/etc/postfix/ssl$ </font></div>
</div><div><font face="courier new, monospace" color="#0b5394"><br></font></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, May 8, 2014 at 11:22 PM, Godwin <span dir="ltr"><<a href="mailto:godwin@grandrapids-lug.org" target="_blank">godwin@grandrapids-lug.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Patrick,<div><br></div><div>Yes, Godaddy's certificate will work on Apache, Postfix, Cyrus IMAP (or anything else that requires a cert - I suspect). This site has quick reference to common OpenSSL command like generating a key, csr, cert, etc.</div>
<div><br></div><div><a href="http://www.sslshopper.com/article-most-common-openssl-commands.html" target="_blank">http://www.sslshopper.com/article-most-common-openssl-commands.html</a><br></div><div><br></div><div>To add your cert to Postfix, you'll need the key you generated (prior to the CSR you generated), and both the domain cert and CA cert you got from Godaddy. Here's how to use them in Postfix's "<font face="courier new, monospace"><b><a href="http://main.cf" target="_blank">main.cf</a></b></font>" file:</div>
<div><br></div><div><div><font face="courier new, monospace" color="#0000ff">smtp_use_tls = yes</font></div><div><font face="courier new, monospace" color="#0000ff">smtp_tls_note_starttls_offer = yes</font></div><div><font face="courier new, monospace"><font color="#38761d"># The two lines above allows us to ask for TLS on connecting to other servers.</font><br>
</font></div><div><font face="courier new, monospace" color="#0000ff">smtpd_use_tls = yes</font></div><div><font face="courier new, monospace" color="#0000ff">smtpd_tls_auth_only = no</font></div><div><div><font face="courier new, monospace" color="#38761d"># Use this to force TLS (problem is, then no TLS sessions will be rejected)</font></div>
<div><font face="courier new, monospace" color="#38761d">#smtpd_tls_security_level = encrypt</font></div></div><div><font face="courier new, monospace" color="#0000ff">smtpd_tls_cert_file = /etc/postfix/ssl/yourdomain.com-cert.crt</font></div>
<div><font face="courier new, monospace" color="#0000ff">smtpd_tls_key_file = /etc/postfix/ssl/yourdomain.com.key</font></div><div><font face="courier new, monospace" color="#0000ff">smtpd_tls_CAfile = /etc/postfix/ssl/gd_bundle-g2-g1.crt</font></div>
<div><font face="courier new, monospace" color="#0000ff">smtpd_tls_loglevel = 3</font></div><div><font face="courier new, monospace" color="#0000ff">smtpd_tls_received_header = yes</font></div><div><font face="courier new, monospace" color="#0000ff">smtpd_tls_session_cache_timeout = 3600s</font></div>
<div><font face="courier new, monospace" color="#0000ff">tls_random_source = dev:/dev/urandom</font></div><div><font face="courier new, monospace" color="#0000ff">smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache</font></div>
<div><font face="courier new, monospace" color="#0000ff">smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache</font></div></div><div><div><font face="courier new, monospace" color="#38761d"># See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for</font></div>
<div><font face="courier new, monospace" color="#38761d"># information on enabling SSL in the smtp client.</font></div></div><div><br></div><div>Others can scrutinize this, but that's the gist of if.</div><div><br></div>
<div>cheers,</div><div>Godwin</div><div><br></div><div><br></div></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Thu, May 8, 2014 at 2:16 PM, Patrick Goupell <span dir="ltr"><<a href="mailto:patrick@upmerchants.com" target="_blank">patrick@upmerchants.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><br>
On 05/08/2014 01:41 PM, Dave Chiodo wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Did you generate a CSR on your server and submit it to godaddy?<br>
<br>
An SSL cert is basically a public key thats been signed by the cert authority - you should still have the "private" key somewhere (that you keep secure and accessible only by your server)<br>
<br>
I couldnt tell you anything about postfix directly (never used it, I'm an exim user), but you can always use openssl to handle it. It will accept the "SSL" connection from a client, and then relay it locally to the non-SSL service.<br>
<br>
<br>
</blockquote>
<br></div>
Yes, I sent the CSR to <a href="http://godaddy.com" target="_blank">godaddy.com</a>. I got back the 2 files as I said.<div><div><br>
<br>
-- <br>
Patrick Goupell<br>
<br>
Are you free? Find out at <a href="http://www.sedm.org/" target="_blank">http://www.sedm.org/</a><br>
Income taxes? Find out at <a href="http://www.whatistaxed.com" target="_blank">http://www.whatistaxed.com</a><br>
<br>
______________________________<u></u>_________________<br>
grlug mailing list<br>
<a href="mailto:grlug@grlug.org" target="_blank">grlug@grlug.org</a><br>
<a href="http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug" target="_blank">http://shinobu.grlug.org/cgi-<u></u>bin/mailman/listinfo/grlug</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><br>Ubber::Geek <br><a href="http://grlug.org/" target="_blank">http://grlug.org/</a>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><br>Ubber::Geek <br><a href="http://grlug.org/">http://grlug.org/</a>
</div>