Configuring Postfix on SLES 10 to Use GoDaddy Certificates
This document (7002392) is provided subject to the disclaimer at the end of this document.
Environment
Situation
Resolution
NOTE: It is important that the key file not be lost. Please make backups of this file once obtained.
su -
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl
openssl genrsa -out hostname.key 1024
The 'hostname.key' file is then used by OpenSSL to generate the csr that will need to be presented to GoDaddy. To generate a csr file with the name 'hostname.csr' issue the following command.
openssl req -new -nodes -key hostname.key -out hostname.csr
Upon issuing the command to create the csr file, a number of questions pertinent to the creation of the file will be asked. An example is listed below.
NOTE: When prompted for the "Common Name", the expected response is the fully qualified hostname of the server where the certificate will be implemented. For the purposes of this document, this is the server where Postfix is installed.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:UT
Locality Name (eg, city) []:Provo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Widgits Inc
Organizational Unit Name (eg, section) []:Customer Services
Common Name (eg, YOUR name) []:mail.widgits.com
Email Address []:postmaster@widgits.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
At this point, the csr is ready to be submitted to GoDaddy for the process of minting the certificate. It is important to note that when going through the process of submitting the csr to GoDaddy, the person going through the submission process will be asked to designate which type of application the certificate is intended for. Possible answers include Tomcat, Apache, IIS and others. Success has been seen when choosing Apache as the application the certificate is intended for.
After the csr has been submitted and the certificate has been approved, a zip file containing two files will be emailed to the submitter. The filenames will be <Common Name entered in CSR process>.crt and gd_bundle.csr. Place these two files in the /etc/postfix/ssl directory.
The private key file 'hostname.key' and the two files received from GoDaddy should now be concatenated into a single file. The file created in the example below is 'hostname.pem'. Also, the filename 'mail.widgits.com.crt' used in the example will not match the filename of your certificate. Please insert the correct filename.
cat hostname.key mail.widgets.com.crt gd_bundle.crt >> hostname.pem
The /etc/postfix/ssl directory should now contain 5 files. In the example described thus far, the five files are:
hostname.key
hostname.csr
mail.widgits.com.crt
gd_bundle.crt
hostname.pem
Finally, the process of modifying Postfix can begin. The two files needed to be modified for our example are '/etc/postfix/main.cf' and '/etc/postfix/master.cf'. It would be best to first make a backup of the original files.
cp /etc/postfix/main.cf /etc/postfix/main.cf.org
cp /etc/postfix/master.cf /etc/postfix/master.cf.org
The following lines need to be added or modified in the main.cf file within a text editor. Note that the first two lines point to files created during the process previously listed.
smtpd_tls_key_file = /etc/postfix/ssl/hostname.key
smtpd_tls_cert_file = /etc/postfix/ssl/hostname.pem
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_randome_source = dev:/dev/urandom
The only change to the master.cf file is to remove the remark from the beginning of the following line:
#tlsmgr unix - - n 1000? 1 tlsmgr
It should then look like this:
tlsmgr unix - - n 1000? 1 tlsmgr
At this point, Postfix needs to be restarted.
rcpostfix restart
Now is the time to perform a quick test to see if Postfix will allow a TLS connection. From the terminal prompt, do the following:
telnet localhost 25
<a banner will appear>
ehlo localhost
<a number of allowed services will appear which should include STARTTLS>
STARTTLS
<no error should be returned>
If an error is returned, search first in the file '/var/log/mail.warn' . This file will include any errors when attempting to read the certificate entries when Postfix is started. It is common to have typographical errors cause issues. Please make sure there are no spelling errors and that all entries and filenames are case sensitive.
The Postfix system should now be ready to communicate securely.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7002392
- Creation Date: 16-Jan-2009
- Modified Date:25-Feb-2021
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com