Using a CACert Certificate for Postfix TLS

Last year I started using TLS encryption on my email server with a self signed 365 day certificate. Since that time I started using CAcert for certificates so when my self signed certificate expired early this week I was able to modify the instructions found on this website to use a CAcert certificate on my Postfix mail server.

First, I needed to create a private key for the server:
openssl req -nodes -days 180 -newkey rsa:1024 -keyout server.key -out req.csr
Doing it this way also creates the certificate signing request (CSR). Be sure to use the mailserver FQDN as the Common Name (CN) on the certificate request!

Next, make sure the key was readable for only the root and postfix users:
chown root:postfix server.key
chmod ug=r,o= server.key
chown root:postfix req.csr
chmod u=r,go= req.csr

Copy the CSR to the CAcert site where you will receive a signed certificate back. You can verify the CSR before sending it off:
openssl req -in req.csr -text -verify -noout

Copy the certificate back to a file on your server and then set permissions:

chown root:postfix server2005.crt
chmod a=r server2005.crt

You can examine the contents of your certificate:
openssl x509 -in /etc/postfix/tls/server2005.crt -text -noout

Next, get the CAcert root certificate and set permissions:
wget -nv -O cacert.crt
chown root:postfix cacert.crt
chmod a=r cacert.crt

You can examine root certificate in detail with this command:
openssl x509 -in cacert.crt -text -noout

Next, copy the CAcert certificate to the OpenSSL store and refresh the OpenSSL certificates:
cp cacert.crt /usr/lib/ssl/certs/CAcert.org_Root_Certificate.pem
c_rehash /usr/lib/ssl/certs

At this point you should be able to test your certificate:
openssl verify server2005.crt

If you do not get back an “OK” something is wrong!

All that’s left to do is to have something like this in you file:

smtp_tls_CAfile = /etc/postfix/tls/cacert.crt
smtp_tls_cert_file = /etc/postfix/tls/server2005.crt
smtp_tls_key_file = /etc/postfix/tls/server.key
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes

smtpd_tls_CAfile = /etc/postfix/tls/cacert.crt
smtpd_tls_cert_file = /etc/postfix/tls/server2005.crt
smtpd_tls_key_file = /etc/postfix/tls/server.key
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes

smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
# Require SMTP AUTH users to use TLS
smtpd_tls_auth_only = yes
# Make TLS support optional
smtpd_enforce_tls = no

tls_random_source = dev:/dev/urandom


To use the certificate with a courier imapd-ssl server you need to get it into PEM format:
cat server.key server2005.crt > imapd2005.pem
openssl gendh >> imapd2005.pem

This imapd2005.pem file includes both the key and certificate in one file so be sure to make it root/postfix readable only!
chown root:postfix imapd2005.pem
chmod ug=r,o= imapd2005.pem

Hint: You can also use this imapd2005.pem combined file for both the tls_cert_file and tls_key_file

Comments are closed.