{"id":2409,"date":"2017-10-01T16:20:04","date_gmt":"2017-10-01T16:20:04","guid":{"rendered":"https:\/\/tst-amo.pp.ua\/blog\/?p=2409"},"modified":"2017-10-01T16:28:01","modified_gmt":"2017-10-01T16:28:01","slug":"ssl-%d1%81%d0%b5%d1%80%d1%82%d0%b8%d1%84%d0%b8%d0%ba%d0%b0%d1%82-%d0%b4%d0%bb%d1%8f-postfix","status":"publish","type":"post","link":"https:\/\/tst-amo.net.ua\/blog\/?p=2409","title":{"rendered":"SSL \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u0434\u043b\u044f Postfix"},"content":{"rendered":"

Create a root private key:<\/p>\n

# openssl genrsa -out rootCA.key 2048<\/pre>\n
Change permissions of this private key to 400:<\/p>\n
# chmod 400 \/usr\/share\/ssl\/certs\/postfix\/rootCA.key\r\n<\/pre>\n
Create self-singed root certificate:<\/p>\n
# openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem\r\n<\/pre>\n
With the following data (change information to required):<\/p>\n
Country Name (2 letter code) [AU]:XX\r\nState or Province Name (full name) [Some-State]:SomeState\r\nLocality Name (eg, city) []:SomeCity\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Company Co\r\nOrganizational Unit Name (eg, section) []:Company Co\r\nCommon Name (e.g. server FQDN or YOUR name) []:example.com\r\nEmail Address []:admin@example.com\r\n<\/pre>\n
Create private key for final certificate:<\/p>\n
# openssl genrsa -out device.key 2048\r\n<\/pre>\n
Create certificate sign request:<\/p>\n
# openssl req -new -key device.key -out device.csr<\/pre>\n
And finally create server certificate based on root CA certificate and root private key:<\/p>\n
# openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500<\/pre>\n
Change Postfix configuration\u00a0\/etc\/postfix\/main.cf\u00a0<\/code>to use the newly created certificates:<\/p>\n
#smtpd_tls_key_file = \/etc\/postfix\/postfix_default.pem\r\n#smtpd_tls_cert_file = \/etc\/postfix\/postfix_default.pem\r\n#smtpd_tls_CAfile = \/etc\/postfix\/postfix_default.pem\r\nsmtpd_tls_key_file = \/usr\/share\/ssl\/certs\/postfix\/device.key\r\nsmtpd_tls_cert_file = \/usr\/share\/ssl\/certs\/postfix\/device.crt\r\nsmtpd_tls_CAfile = \/usr\/share\/ssl\/certs\/postfix\/rootCA.pem\r\n<\/pre>\n
Restart postfix service:<\/p>\n
[root@centos ~]# service postfix restart\r\nShutting down postfix:                                     [  OK  ]\r\nStarting postfix:                                          [  OK  ]\r\n<\/pre>\n
All newly generated files should be created in folder\u00a0\/usr\/share\/ssl\/certs\/postfix\/\u00a0<\/code>(you could change folder, but paths in Postfix configuration have to be changed too).<\/p>\n
After these steps, Postfix will work with the new certificates:<\/p>\n
[root@centos ~]# openssl s_client -crlf -connect localhost:465\r\nCONNECTED(00000003)\r\ndepth=0 C = US, ST = SomeState, L = SomeCity, O = Company Co, OU = Company Co, CN = example.com, emailAddress = admin@example.com\r\nverify error:num=18:self signed certificate\r\nverify return:1\r\ndepth=0 C = US, ST = SomeState, L = SomeCity, O = Company Co, OU = Company Co, CN = example.com, emailAddress = admin@example.com\r\nverify return:1\r\n---\r\nCertificate chain\r\n 0 s:\/C=PK\/ST=SomeState\/L=SomeCity\/O=Company Co\/OU=Company Co\/CN=example.com\/emailAddress=admin@example.com\r\n   i:\/C=PK\/ST=SomeState\/L=SomeCity\/O=Company Co\/OU=Company Co\/CN=example.com\/emailAddress=admin@example.com\r\n---\r\n<\/pre>\n
https:\/\/support.plesk.com\/hc\/en-us\/articles\/213402809-How-to-generate-custom-self-signed-SSL-certificates-and-apply-it-to-Postfix<\/p>\n
\"image_pdf\"<\/a>\"image_print\"<\/a><\/div>","protected":false},"excerpt":{"rendered":"
Create a root private key: # openssl genrsa -out rootCA.key 2048 Change permissions of this private key to 400: # chmod 400 \/usr\/share\/ssl\/certs\/postfix\/rootCA.key Create self-singed root certificate: # openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem With the following data (change information to required): Country Name (2 letter code) [AU]:XX State or …<\/p>\n
Continue reading ‘SSL \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u0434\u043b\u044f Postfix’ »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,7,32,70,42],"tags":[],"class_list":["post-2409","post","type-post","status-publish","format-standard","hentry","category-freebsd","category-mail","category-openssl","category-postfix","category-ssl"],"_links":{"self":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2409"}],"collection":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2409"}],"version-history":[{"count":5,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2409\/revisions"}],"predecessor-version":[{"id":2416,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2409\/revisions\/2416"}],"wp:attachment":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}