We just have our SSL certificate created. And we want to install it on our mail server. In this example, we will put the same certificate on our pop/imap (cyrus) and our smtp (postfix) server, but we can use different certificates for each one.
Our SSL files are located in /etc/postfix/ssl directory (just created it and assign proper permissions. The certificate file is myserver.crt, the key myserver.key and our CA is myrootCA.pem (if you signed with a real CA, just add the certificate they gave you), so,
Let’s start with Cyrus, editing /etc/imapd.conf and adding these lines:
tls_cert_file:/etc/postfix/ssl/myserver.crt
tls_key_file:/etc/postfix/ssl/myserver.key
tls_ca_file:/etc/postfix/ssl/myrootCA.pem
Or we can add them by service, with imap_tls_cert_file, imap_tls_key_file, imap_tls_ca_file, or pop3_tls_key_file, pop3_tls_cert_file, pop3_tls_ca_file, even for lmtp and sieve.
We also can use tls_ca_path parameter to specify where to find CA certificates (useful to include intermediate certificates) or even tls_require_cert if it is mandatory to use the certificate to stablish a connection. The same for all the services, tls_require_cert applies for all, imap_tls_require_cert, pop3_tls_require_cert, lmtp_tls_require_cert, sieve_tls_require_cert applies to a specific protocol only.
Then, with Postfix, just edit /etc/postfix/main.cf and add:
smtpd_tls_cert_file=/etc/postfix/ssl/myserver.crt
smtpd_tls_key_file=/etc/postfix/ssl/myserver.key
smtpd_tls_CAfile=/etc/postfix/ssl/myrootCA.pemsmtpd_use_tls=yes
Notice de d after smtp. We can enable also, smtpd_tls_auth_only=yes so every connection will be smtpd. If you enable the certificate with smtp, make sure it’s validated by a real CA and make sure you are who you say you are, but remember, you may reveive less spam, and less real mail because some MTAs can’t connect through a secure connection, you can try to use the certificate but not to make it mandatory, in order to not lose mails.
But, ¿what about including intermediate certificates to postfix? We have to merge them all into one single file and them include this as smtpd_tls_CAfile. We can do what follows:
cat certificate1.crt certificate2.crt certificate3.crt > mail_CA_bundle.crt
Deja un comentario