From QmailToaster wiki
Jump to navigation Jump to search

Security Certificate

To configure a SSL certificate for TLS and/or SSL over SMTP:

1) Create a private key using the triple des encryption standard (recommended):

# openssl genrsa -des3 -out servercert.key.enc 1024

2) Remove the pass phrase from the private key:

# openssl rsa -in servercert.key.enc -out servercert.key

3) Generate Certificate Request

# openssl req -new -key servercert.key -out servercert.csr

4) Go to DiscountWebCerts and submit servercert.csr for a trusted certificate ($19.95). You will then receive a servercert.crt. Now just do the following.

5) Create standard .pem in /var/qmail/control/servercert.pem

# cat servercert.key servercert.crt > /var/qmail/control/servercert.pem

  • NOTE - For reference, here is the command to sign the request for a self signed certificate:
  1. openssl x509 -req -days 365 -in servercert.csr -signkey servercert.key -out servercert.crt

Here is an additional resource with some good examples.


    • NOTE - Some certificate providers, like GoDaddy for example, will also give you a chain file (also sometimes called intermediate file), dump it into the same servercert.pem like so:

cat /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/intermediate.crt > /var/qmail/control/servercert.pem

This will join all three of them: The key, signed certificate and the intermediate certificate. You can use the same certificate you have obtained for your Apache website.

# chown root:vchkpw /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem

Note, in order to avoid verification errors in email clients (i.e. Outlook, Thunderbird, etc), you need to use the same server name (FQDN) in your client configuration(s) for both incoming (pop/imap) and outgoing (smtp) servers that was entered as the hostname when the certificate request was created. This should also be the same name that is used on the DNS MX record.

That's all there is to it. There is no need to restart qmail.

You can also use this signed certificate for apache by putting:

  • servercert.key in /etc/pki/tls/private/localhost.key
  • servercert.crt in /etc/pki/tls/certs/localhost.crt

Be sure to check your /etc/httpd/conf.d/ssl.conf file to be certain that the correct file names are specified, and that the corresponding parameters are not commented out.

You need to restart apache to activate the modified certificate configuration.

See Building a Secure Redhat Apache Server HOWTO for guidance with securing your Apache Server.

Self-signed ssl cert gleaned from the archives

Quick-n-dirty how-to for ssl certs

# cd /usr/share/ssl/certs
# make stunnel.pem

# mv stunnel.pem /var/qmail/control/servercert.pem

Then run these commands to finish:

# cd /var/qmail/control
# chown root:qmail /var/qmail/control/servercert.pem
# chmod 644 /var/qmail/control/servercert.pem
# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

And that should take care of it for you...good till next year.

  • Jake - I changed the link for the certs to DiscountWebCerts. I've used them before and signed up for an affiliate account. When you purchase a cert from them, we earn 5% of the total sale. They offer single root certs (not chained certs like GoDaddy and others) and they're fast. I had my cert in literally 15 minutes.
  • Jake - As a side note, I've used RegFly (RapidSSL) a couple times for SSL certs, and there is always an issue that requires helpdesk intervention (~24 hours). I have never had one work in the 5 minutes they advertise. Just be aware. I have been using FreeSSL during the wait periods. They offer a free 30-day certificate signed by a major CA that can be used until you get the other certificate straightened out, and they really do give you a cert in 5 minutes after the phone call verification.
  • I recently tried this with RegFly and I have not been able to get the certificate from them nor a response from their support desk , nor my money back. I would advise people to avoid this company.
  • Jake - I second this. I purchased a cert from them and have not received the cert nor my money refunded after 30 days of fighting with their support.

  • NOTE - How to create an OUTLOOK certificate for import to avoid outlook certificate warnings:
  1. openssl pkcs12 -export -in servercert.crt -inkey servercert.key -out OutlookSMTP.p12

Then import the OutlookSMTP.p12 file into the Trusted Root Certification Authorities store within Internet Explorer (Tools -> Internet Options -> Content -> Certificates, or by just double-clicking it). You will then be free to establish an SSL connection within Outlook to enforce tighter security.