TLS

There are 2 posts tagged TLS (this is page 1 of 1).

Postfix setup for SSL and TLS

To use SSL and TLS with the postfix mailer daemon you must change settings in the /etc/postfix/main.cf configuration file:

# tls config
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/demoCA/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/server-crt.pem
smtpd_tls_key_file = /etc/postfix/ssl/server-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
tls_random_prng_update_period = 3600s

You also need a SSL certificate for your mail server. Create it with the following commands:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/

# Create new local certification authority (if not already present)
/usr/share/ssl/misc/CA.pl -newca

# Create RSA certificate
openssl req -new -nodes -keyout server-key.pem -out server-req.pem -days 365
openssl ca -out server-crt.pem -infiles server-req.pem
chmod 644 server-crt.pem demoCA/cacert.pem
chmod 400 server-key.pem

Now you must remove the comment mark “#” for SMTPS and TLS manager in the /etc/postfix/master.cf configuration file:

smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
tlsmgr    unix  -       -       n       1000?   1       tlsmgr

IMAP server setup under SuSE Linux

First you must install the UW-Imap daemon with yast. UW-Imap uses the standard mail folder structure from Linux, so no additional configuration is needed.

Create SSL certificates

The certificates are stored in folder /etc/ssl/certs. Change to this directory:

cd /etc/ssl/certs

Now create the certificates for your system with the following command:

openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 365

You are asked about country name (2 letter code), state or province Name (full name), locality name (eg, city), organization name (eg, company), organizational unit name (eg, section), common name (eg, your name) and email address.

For «common name» you must enter the full DNS or IP address of your system ! If your system has more than one DNS name or IP addresses you must generate an own certificate for each DNS name or IP address.

Configuration of xinetd

Open the file /etc/xinetd.d/imap with a editor of your choice.

$EDITOR /etc/xinetd.d/imap

Add the section imaps if it doesn’t already exists:

service imaps
{
  disable         = no
  socket_type     = stream
  protocol        = tcp
  wait            = no
  user            = root
  server          = /usr/sbin/imapd
  flags           = IPv4
}

Save the changes and restart xinetd with the command

rcxinetd restart