In the following commands, replace “mail.domain.tld” with the host name of your own server.
First generate a private key for the server (supply the key with a password, and don’t forget it!):
openssl genrsa -des3 -out mail.domain.tld.key 2048
mail:~/ssl# openssl genrsa -des3 -rand /etc/hosts -out mail.domain.tld.key 2048266 semi-random bytes loadedGenerating RSA private key, 2048 bit long modulus……………….+++……+++e is 65537 (0x10001)Enter pass phrase for mail.domain.tld.key: <- a="" enter="" password="" span="">
Verifying – Enter pass phrase for mail.domain.tld.key: <- enter="" password="" span="" your="">
Then you create a certificate request:
openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
mail:~/ssl# openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csrEnter pass phrase for mail.domain.tld.key: <- enter="" password="" span="" your="">
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mail.domain.tld
Email Address []:Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password []: <- empty="" leave="" span="">
An optional company name []:
Create a self signed key:
openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
mail:~/ssl# openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mail.domain.tld
Getting Private key
Enter pass phrase for mail.domain.tld.key: <- enter="" password="" span="" your="">
Now remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix):
openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass mv mail.domain.tld.key.nopass mail.domain.tld.key
mail:~/ssl# openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopassEnter pass phrase for mail.domain.tld.key: <- enter="" password="" span="" your="">
writing RSA key
mail:~/ssl# mv mail.domain.tld.key.nopass mail.domain.tld.key
Make ourself a trusted CA:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
mail:~/ssl# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650Generating a 1024 bit RSA private key..++++++…………………………….++++++writing new private key to ‘cakey.pem’Enter PEM pass phrase: <- a="" enter="" password="" span="">
Verifying – Enter PEM pass phrase: <- enter="" password="" span="" your="">
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mail.domain.tld
Email Address []:
Now we have made ourselves a new set of keys.
Last thing to do is copy the files to a proper location and tell postfix to use the new keyfiles.
Copy the files into a proper location:
Last thing to do is copy the files to a proper location and tell postfix to use the new keyfiles.
Copy the files into a proper location:
chmod 600 mail.domain.tld.key chmod 600 cakey.pem mv mail.domain.tld.key /etc/ssl/private/ mv mail.domain.tld.crt /etc/ssl/certs/ mv cakey.pem /etc/ssl/private/ mv cacert.pem /etc/ssl/certs/
Tell Postfix where the keys are and use TLS:
postconf -e 'smtpd_use_tls = yes' postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key' postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt' postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' postconf -e 'tls_random_source = dev:/dev/urandom' postconf -e 'myhostname = mail.domain.tld'
Now restart postfix.
For enabling "smtpd_sasl_auth"
install-
add below configuration into "main.cf"
# limit an email size for 10M
message_size_limit = 10485760
# limit a mailbox for 1G
mailbox_size_limit = 1073741824
# for SMTP-Auth
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
#reject_invalid_hostname,
#reject_non_fqdn_hostname,
#reject_non_fqdn_sender,
#reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client dnsbl.sorbs.net,
permit
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtp_sasl_mechanism_filter = plain
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_helo_required = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/tapp-mail-certs/tappware_mail.key
smtpd_tls_cert_file = /etc/postfix/tapp-mail-certs/tappware_mail.crt
smtpd_tls_CAfile = /etc/postfix/tapp-mail-certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
No comments:
Post a Comment