[GRLUG] Postfix server setup

Justin Denick jdenick at rtl.org
Fri May 9 09:53:23 EDT 2014


Just a quick note.

LogLevel 3 is pretty verbose. It actually spits our keys at that level, so using LogLevel 1 is probably safer.

LogLevel 0 should be used in production.

I, uh, left it on Level 3 once and created a helluva huge log file.


On May 8, 2014, at 11:30 PM, Godwin <godwin at grandrapids-lug.org> wrote:

> BTW, after restarting Postfix, test with... (I omitted stuff and put dots).  You'll notice the STARTTLS message. You type the stuff in RED (the "ehlo" is not misspelled).
> 
> you at yourmailsrvr:/etc/postfix/ssl$ telnet localhost 25
> Trying ::1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.herenotthere.com ESMTP
> ehlo yourdomain.com
> .
> .
> .
> 250-STARTTLS
> .
> .
> .
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
> you at yourmailsrvr:/etc/postfix/ssl$ 
> 
> 
> 
> On Thu, May 8, 2014 at 11:22 PM, Godwin <godwin at grandrapids-lug.org> wrote:
> Hi Patrick,
> 
> Yes, Godaddy's certificate will work on Apache, Postfix, Cyrus IMAP (or anything else that requires a cert - I suspect).  This site has quick reference to common OpenSSL command like generating a key, csr, cert, etc.
> 
> http://www.sslshopper.com/article-most-common-openssl-commands.html
> 
> To add your cert to Postfix, you'll need the key you generated (prior to the CSR you generated), and both the domain cert and CA cert you got from Godaddy.  Here's how to use them in Postfix's "main.cf" file:
> 
> smtp_use_tls = yes
> smtp_tls_note_starttls_offer = yes
> # The two lines above allows us to ask for TLS on connecting to other servers.
> smtpd_use_tls = yes
> smtpd_tls_auth_only = no
> # Use this to force TLS (problem is, then no TLS sessions will be rejected)
> #smtpd_tls_security_level = encrypt
> smtpd_tls_cert_file = /etc/postfix/ssl/yourdomain.com-cert.crt
> smtpd_tls_key_file = /etc/postfix/ssl/yourdomain.com.key
> smtpd_tls_CAfile = /etc/postfix/ssl/gd_bundle-g2-g1.crt
> smtpd_tls_loglevel = 3
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
> # information on enabling SSL in the smtp client.
> 
> Others can scrutinize this, but that's the gist of if.
> 
> cheers,
> Godwin
> 
> 
> 
> 
> On Thu, May 8, 2014 at 2:16 PM, Patrick Goupell <patrick at upmerchants.com> wrote:
> 
> On 05/08/2014 01:41 PM, Dave Chiodo wrote:
> Did you generate a CSR on your server and submit it to godaddy?
> 
> An SSL cert is basically a public key thats been signed by the cert authority - you should still have the "private" key somewhere (that you keep secure and accessible only by your server)
> 
> I couldnt tell you anything about postfix directly (never used it, I'm an exim user), but you can always use openssl to handle it. It will accept the "SSL" connection from a client, and then relay it locally to the non-SSL service.
> 
> 
> 
> Yes, I sent the CSR to godaddy.com.  I got back the 2 files as I said.
> 
> 
> -- 
> Patrick Goupell
> 
> Are you free?  Find out at http://www.sedm.org/
> Income taxes?  Find out at http://www.whatistaxed.com
> 
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> 
> 
> 
> -- 
> 
> Ubber::Geek 
> http://grlug.org/
> 
> 
> 
> -- 
> 
> Ubber::Geek 
> http://grlug.org/
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shinobu.grlug.org/pipermail/grlug/attachments/20140509/5f517d5d/attachment-0001.html>


More information about the grlug mailing list