Re: New SSL Certificates for Postfix & Courier-imap
On Tue, Dec 14, 2004 at 06:03:23AM +0000, simon@nuit.ca wrote:
> Ce jour Mon, 13 Dec 2004, W.Andrew Loe III a dit:
>
> > I am trying to figure out how to re-build my SSL certificates for
> > postfix and courier-imap. Right now my certificate for postfix has some
> > errors on it (wrong CN), but I am able to download it and set it to be
> > accepted by OS X (ends pop-ups in Mail.app). My courier-imap
> > certificate does not work in OS X, I've tried using mkimapdcert in
> > /usr/sbin/ but it is not generating certificates that are compatible
> > with OS X. Suggestions on how I can use OpenSSL to generate
> > certificates for both?
>
> i wrote a goofy script to create server certs:
try this one instead.
it makes certificates which can either be used in a postfix-tls server or
in a mail client for encryption and or relay authentication.
(NOTE: i am far from an expert in SSL certificates. i wrote the script after
reading various HOWTOs and notes on the web. it may or may not be the best
way, or even a good way, of generating certificates. i probably wouldn't use
it where identity & authentication was important. but it works for
opportunistic encryption of mail transport and for client-certificate based
relaying)
---cut here---
#! /bin/sh
# make-postfix-cert.sh
# Craig Sanders <cas@taz.net.au> 2000-09-03
# this script is hereby placed in the public domain.
# this script assumes that you already have a CA set up, as the openssl
# default "demoCA" under the current directory. if you haven't done it
# already, run "/usr/lib/ssl/misc/CA.pl -newca" (or where the path to
# openssl's CA.pl script is on your system).
#
# then run this script like so:
#
# ./make-postfix-cert.sh hostname.your.domain.com
#
# it will create the certificate and key files for that host and put
# them into a subdirectory.
site="$1"
# edit these values to suit your site.
COUNTRY="AU"
PROVINCE="Victoria"
LOCALITY="Melbourne"
ORGANISATION=""
ORG_UNIT=""
COMMON_NAME=$site
EMAIL="postmaster@your.domain"
OPTIONAL_COMPANY_NAME=""
# leave challenge password blank
CHALLENGE_PASSWORD=""
# generate a certificate valid for 10 years
# (probably not a good idea if you care about authentication, but should
# be fine if you only care about encryption of the smtp session)
# comment this out if you want the openssl default (1 year, usually)
DAYS="-days 3652"
# create the certificate request
cat <<__EOF__ | openssl req -new $DAYS -nodes -keyout newreq.pem -out newreq.pem
$COUNTRY
$PROVINCE
$LOCALITY
$ORGANISATION
$ORG_UNIT
$COMMON_NAME
$EMAIL
$CHALLENGE_PASSWORD
$OPTIONAL_COMPANY_NAME
__EOF__
# sign it
openssl ca $DAYS -policy policy_anything -out newcert.pem -infiles newreq.pem
# move it
mkdir -p $site
mv newreq.pem $site/key.pem
chmod 400 $site/key.pem
mv newcert.pem $site/cert.pem
cd $site
# create server.pem for smtpd
cat cert.pem ../demoCA/cacert.pem key.pem >server.pem
chmod 400 server.pem
# create fingerprint file
openssl x509 -fingerprint -in cert.pem -noout > fingerprint
# uncomment to create pkcs12 certificate for netscape
# (probably not needed)
#openssl pkcs12 -export -in cert.pem -inkey key.pem \
# -certfile ../demoCA/cacert.pem -name "$site" -out cert.p12
cd ..
---cut here---
run it like so:
./make-postfix-cert.sh FQDN
you should use the server's announced FQDN host-name as the server name in the
certificate.
once the cert has been created, copy $site/*.pem and demoCA/cacert.pem into
/etc/postfix on the target system. and add the following to /etc/postfix/main.cf
to enable TLS encryption.
---cut here---
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_use_tls = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_CApath = /etc/postfix/certs
smtp_tls_loglevel = 1
smtp_use_tls = yes
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
---cut here---
then:
echo ". MAY" >/etc/postfix/tls_per_site
postmap hash:/etc/postfix/tls_per_site
mkdir /etc/postfix/certs
/etc/init.d/postfix restart
tls_per_site allows you to control which remote sites are offered TLS and which
are not. useful because some sites have broken implementations so you need to
disable TLS for them.
if you want postfix to verify remote certs, you can put CA certs for them into
/etc/postfix/certs. this is not strictly necessary - encryption works fine
without cert verification.
i run this as a matter of routine whenever i create a new mail host in my
domain. if i'm doing it for a new domain, i copy the script to somewhere else
(usually to somewhere on the target system) and create a new demoCA for that
domain, and then run the script there for all hosts and relay clients in that
domain.
finally, to allow a client with a known cert to relay through postfix, first
generate the cert just as if for a server, and then install the cert into the
client (details vary according to the client) .
run it like so:
./make-postfix-cert.sh USERNAME
you can use pretty much anything as the USERNAME.
to set up a postfix server to allow cert based relaying:
1. add "relay_clientcerts = hash:/etc/postfix/relay_clientcerts" to main.cf
2. add "permit_tls_clientcerts" to "smtpd_recipient_restrictions" in main.cf
(immediately after "permit_mynetworks" is a good place).
3. add $site/fingerprint to /etc/postfix/relay_clientcerts
4. postmap hash:/etc/postfix/relay_clientcerts
5 "/etc/init.d/postfix reload" if this is the first time
craig
--
craig sanders <cas@taz.net.au> (part time cyborg)
Reply to: