On Sun, Apr 16, 2023 at 07:49:00PM +0300, Oleksandr wrote: > > Did you reconfigure Postfix to use the generated PEM file > > as your certificate and private key file? > > I didn't know it had to be done... I just do what you recommend. How > do I need to do this reconfiguration? Please tell me about this in > more detail.
It seems you haven't learned even the most basic aspects of operating a Postfix server. Some reading is recommended: - The No Starch Press book: https://www.amazon.com/Book-Postfix-State-Art-Transport/dp/1593270011 - The online docs: http://www.postfix.org/documentation.html https://www.postfix.org/BASIC_CONFIGURATION_README.html You need to change the "main.cf" file to change the "smtpd_tls_cert_file" and "smtpd_tls_key_file" as suggested in my previous post: Comment out the current settings: # smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt # smtpd_tls_key_file = /etc/ssl/private/iRedMail.key Replace with new settings of the same (somewhat outdated) parameters: # Install in /etc/postfix, chown root, chmod 0400 smtpd_tls_cert_file = /etc/postfix/certkey.pem smtpd_tls_key_file = /etc/postfix/certkey.pem Or use the now preferred all-in-one setting: # With Postfix 3.4 or later instead: smtpd_tls_chain_files = /etc/postfix/certkey.pem > And another question: do these commands have to be run as a normal user or as > a root? > > $ dnsname=mailserver.mail.lan > $ rm certkey.pem > $ openssl req -new -nodes -newkey rsa:2048 -keyout /dev/stdout \ > -config <( printf 'distinguished_name=dn\n[dn]\nprompt=yes\n') > -x509 -subj / -days 3653 \ > -addext "basicConstraints = critical,CA:FALSE" \ > -addext "extendedKeyUsage = serverAuth" \ > -addext "subjectAltName = DNS:$dnsname" >> certkey.pem These commands create a file called "certkey.pem" in the current working directory. The file contains potentially sensitive private key material that should not be accessible to unauthorised users. Therefore, to generate keys that are fully protected from all non-root users and are not world-readable (umask 077): $ sudo bash # umask 077 # dnsname=mailserver.mail.lan # cd /etc/postfix # rm -f certkey.pem # openssl req -new -nodes -newkey rsa:2048 -keyout /dev/stdout \ -config <( printf 'distinguished_name=dn\n[dn]\nprompt=yes\n' ) -x509 -subj / -days 3653 \ -addext "basicConstraints = critical,CA:FALSE" \ -addext "extendedKeyUsage = serverAuth" \ -addext "subjectAltName = DNS:$dnsname" >> certkey.pem -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org