[colug-432] postfix and TLS

Wed Feb 4 12:29:11 EST 2015

On Wed, 4 Feb 2015, Richard Holbert wrote:

> It's overkill, but the open source version of Zimbra uses Postfix and 
> supports TLS.

as 'underkill', I have these desk notes on TLS (SSL) 
certificates under postfix.  I am and remain a 'sendmail' 
person, and only poke through other MTA under duress or 
customer funding

Concatenating a certificate chain together, checking that 
certificates are properly located and of the correct 
permission, and finally that the service is enabled in 
postfix, seem like primary issues to me

-- Russ herrold

(my notes)

README-postfix
==============

https://www.digitalocean.com/community/questions/etc-postfix-main-cf-for-iredmail-certificates

But I am having problems with certs in my email clients when accessing the
mail server on the same droplet.  Suposidly iRedMail sets itself up to use
it own certificate and thus this is in main.cf

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key

(RPH obviously no in a RHEL environment -- selinux, and perms generally ...)

============

concatenated certificates

Thanks for your assistance folks, I got Cyrus IMAP working with Starcom's
signed certs.

Here's what the following filenames are:

ssl.key The private key file.
ssl.crt The signed public certificate .
ca.crt StartCom's public certificate
ssl.pem the ssl.key and ssl.crt files concatenated together (for Postfix and
Cyrus)

Here's the steps I took to strip the passphrase, concatenate the appropriate
files, and change the permissions for Cyrus and Postfix to be able to read
the certs:

Code:

$ cp ssl.key ssl.key.org
$ openssl rsa -in ssl.key.org -out ssl.key
$ cp ssl.key ssl.pem
$ cat ssl.crt >> ssl.pem
$ chown root.mail ssl.pem
$ chmod 440 ssl.pem

(RPH: does not follow our conventions in .key, .csr, .crt, and .pem; 
also not robust / potentially destructive of a .key)

https://forum.startcom.org/viewtopic.php?t=80

Postfix works in a similar fashion, but For only smtp client to server
connections (as opposed to server to server connections) you set the
following options in main.cf:

Code:

smtp_use_tls = yes
smtp_tls_cert_file = /etc/ssl/ssl.pem
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_CAfile = /etc/ssl/ca.crt
smtp_tls_note_starttls_offer = yes

http://www.homeport.org/~adam/starttls.html
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/conf.html

later ...
For Postfix, you also need the smtpd_* tags as well...

Code:

smtpd_use_tls = yes
smtpd_tls_cert_file = $smtp_tls_cert_file
smtpd_tls_key_file = $smtp_tls_key_file
smtpd_tls_CAfile = $smtp_tls_CAfile
tls_random_source = dev:/dev/urandom

.. in addition to the following additions to master.cf...
Code:
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtps     inet  n       -       n       -       -       smtpd -o
		 smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

================================

As an aside, newer Cyrus implementations allow you to specify separate files
for the certificate and key file (though both still need to be readable by
the mail user!), eliminating the step of concatenating the key and
certificate file. The relevant imapd.conf paramters are (with examples):

Code:

tls_cert_file: /etc/ssl/ssl.crt
tls_key_file: /etc/ssl/ssl.key
tls_ca_file: /etc/ssl/ca.crt

================================

remaining query:  chained intermediate certificate -- 

prolly easiest to concatenate it in ...

================================
/home/herrold/pmman/ssl/README-postfix