[GRLUG] Postfix server setup

Godwin godwin at grandrapids-lug.org
Thu May 8 23:22:26 EDT 2014


Hi Patrick,

Yes, Godaddy's certificate will work on Apache, Postfix, Cyrus IMAP (or
anything else that requires a cert - I suspect).  This site has quick
reference to common OpenSSL command like generating a key, csr, cert, etc.

http://www.sslshopper.com/article-most-common-openssl-commands.html

To add your cert to Postfix, you'll need the key you generated (prior to
the CSR you generated), and both the domain cert and CA cert you got from
Godaddy.  Here's how to use them in Postfix's "*main.cf <http://main.cf>*"
file:

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
# The two lines above allows us to ask for TLS on connecting to other
servers.
smtpd_use_tls = yes
smtpd_tls_auth_only = no
# Use this to force TLS (problem is, then no TLS sessions will be rejected)
#smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/postfix/ssl/yourdomain.com-cert.crt
smtpd_tls_key_file = /etc/postfix/ssl/yourdomain.com.key
smtpd_tls_CAfile = /etc/postfix/ssl/gd_bundle-g2-g1.crt
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

Others can scrutinize this, but that's the gist of if.

cheers,
Godwin




On Thu, May 8, 2014 at 2:16 PM, Patrick Goupell <patrick at upmerchants.com>wrote:

>
> On 05/08/2014 01:41 PM, Dave Chiodo wrote:
>
>> Did you generate a CSR on your server and submit it to godaddy?
>>
>> An SSL cert is basically a public key thats been signed by the cert
>> authority - you should still have the "private" key somewhere (that you
>> keep secure and accessible only by your server)
>>
>> I couldnt tell you anything about postfix directly (never used it, I'm an
>> exim user), but you can always use openssl to handle it. It will accept the
>> "SSL" connection from a client, and then relay it locally to the non-SSL
>> service.
>>
>>
>>
> Yes, I sent the CSR to godaddy.com.  I got back the 2 files as I said.
>
>
> --
> Patrick Goupell
>
> Are you free?  Find out at http://www.sedm.org/
> Income taxes?  Find out at http://www.whatistaxed.com
>
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>



-- 

Ubber::Geek
http://grlug.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shinobu.grlug.org/pipermail/grlug/attachments/20140508/946bb834/attachment-0001.html>


More information about the grlug mailing list