On Sun, Apr 16, 2023 at 07:49:00PM +0300, Oleksandr wrote:
> > Did you reconfigure Postfix to use the generated PEM file
> > as your certificate and private key file?
>
> I didn't know it had to be done... I just do what you recommend. How
> do I need to do this reconfiguration? Please tell me about this in
> more detail.
It seems you haven't learned even the most basic aspects of operating a
Postfix server. Some reading is recommended:
- The No Starch Press book:
https://www.amazon.com/Book-Postfix-State-Art-Transport/dp/1593270011
- The online docs:
http://www.postfix.org/documentation.html
https://www.postfix.org/BASIC_CONFIGURATION_README.html
You need to change the "main.cf" file to change the
"smtpd_tls_cert_file" and "smtpd_tls_key_file" as suggested in my
previous post:
Comment out the current settings:
# smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
# smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
Replace with new settings of the same (somewhat outdated)
parameters:
# Install in /etc/postfix, chown root, chmod 0400
smtpd_tls_cert_file = /etc/postfix/certkey.pem
smtpd_tls_key_file = /etc/postfix/certkey.pem
Or use the now preferred all-in-one setting:
# With Postfix 3.4 or later instead:
smtpd_tls_chain_files = /etc/postfix/certkey.pem
> And another question: do these commands have to be run as a normal user or as
> a root?
>
> $ dnsname=mailserver.mail.lan
> $ rm certkey.pem
> $ openssl req -new -nodes -newkey rsa:2048 -keyout /dev/stdout \
> -config <( printf 'distinguished_name=dn\n[dn]\nprompt=yes\n')
> -x509 -subj / -days 3653 \
> -addext "basicConstraints = critical,CA:FALSE" \
> -addext "extendedKeyUsage = serverAuth" \
> -addext "subjectAltName = DNS:$dnsname" >> certkey.pem
These commands create a file called "certkey.pem" in the current working
directory. The file contains potentially sensitive private key material
that should not be accessible to unauthorised users.
Therefore, to generate keys that are fully protected from all non-root
users and are not world-readable (umask 077):
$ sudo bash
# umask 077
# dnsname=mailserver.mail.lan
# cd /etc/postfix
# rm -f certkey.pem
# openssl req -new -nodes -newkey rsa:2048 -keyout /dev/stdout \
-config <(
printf 'distinguished_name=dn\n[dn]\nprompt=yes\n'
) -x509 -subj / -days 3653 \
-addext "basicConstraints = critical,CA:FALSE" \
-addext "extendedKeyUsage = serverAuth" \
-addext "subjectAltName = DNS:$dnsname" >> certkey.pem
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
