How to create SSL certificate in Linux for your (Postfix) mail server

How to create SSL certificate in Linux
How to create SSL certificate in Linux

How to create SSL certificate in Linux Introduction

SSL certificate establishes a secure connection between smtp mail server and an email client. This tutorial is a guide teach you how to create ssl certificate in Linux for your mail server. We will see the step by step ssl certificate installation and configuration of postfix smtp mail server. What is Postfix? Postfix in an open source Mail Transfer Agent (MTA), which is used for transferring emails. An alternative of postfix is sendmail. Both Postfix and sendmail can work as an smtp server, but here we are going to try on postfix.

You need to create an SSL private key and CSR (Certificate Signing Request), then you need to submit your CSR to any CA (Certificate Authority), which will certify the ownership.

What is SSL?

SSL is a security technology which establishes encrypted connection between web browser and server. It is also referred as cryptographic protocol. It is widely used in VoIP, email, web browsing, etc.

1. Create a directory 'ssl'

Lets first create a directory under postfix and name the directory as 'ssl'. Please look at the example given below.

# mkdir /etc/postfix/ssl


2. Change the directory to ssl.

Now, in this step change the directory to ssl.

# cd /etc/postfix/ssl

3. Create SSL private key and CSR

First of all install openssl in your Linux system. We will use this tool to create ssl private key.

# yum install openssl

In this step we are going to create ssl private key and CSR. Give the name of your own mail server in place of 'mymailserver'.

# openssl req -new -nodes -keyout smtp.mymailserver.com.key -out smtp.mymailserver.com.csr
Generating a 2048 bit RSA private key
................................+++
....................................................................+++
writing new private key to 'smtp.mymailserver.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

You have to fill some field like country, state, city and organization name and optionally you can leave some fields blank which are not required, then it will ask for the password, give the password of your choice.

The above command will create two files 'smtp.mymailserver.com.key' and 'smtp.mymailserver.com.csr' under ssl directory. ls to confirm certificate is created.

# ls
smtp.mymailserver.com.csr  smtp.mymailserver.com.key


4. What is inside csr and .key file?

Lets have a quick look of what is inside these files.

# cat smtp.mymailserver.com.key 
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfCHuSbR2vwnGY
Q2vXqYcpfaE4Wwx5E0Scqh7/62uuDr7D+herZEJFr8IJkFfINR/fe5ElL/i/vKLz
WdJbmDJ1vVgf7FttrmV4tEg6D9iJW9mDYm0Oh28CetmpsYT31N3Qqd+Kp97rjfRv
-----END PRIVATE KEY-----
# cat smtp.mymailserver.com.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIC2zCCAcMCAQAwfTELMAkGA1UEBhMCSU4xFDASBgNVBAgMC1dFU1QgQkVOR0FM
MRAwDgYDVQQHDAdLT0xLQVRBMREwDwYDVQQKDAhUZWNoc2FraDEfMB0GA1UECwwW
SW5mb3JtYXRpb24gdGVjaG5vbG9neTESMBAGA1UEAwwJbWFpbG1hbmlhMIIBIjAN
-----END CERTIFICATE REQUEST-----

5. Create CA certificate

CA ( Certificate Authority or Certification Authority ) is a digital SSL certificate provider. In the above step when the smtp.mymailserver.com.csr file is created. Copy the content of the file and paste it into your CA account. This certificate will certify your public key ownership. It helps other users to rely on your signature. To create CA certificate for your mail server go here.

6. Create Self signing SSL certificate

If you don't want to create ssl CA certificate, you can alternatively choose to create a self signing certificate for your small private LAN for testing purpose. The given command will do the task.

# openssl x509 -req -days 3650 -in smtp.mymailserver.com.csr -signkey smtp.mymailserver.com.key -out smtp.mymailserver.com.crt
Signature ok
subject=/C=IN/ST=######/L=#######/O=######/OU=#######/CN=mymailserver
Getting Private key

ls to confirm .crt file is created

# ls
smtp.mymailserver.com.crt 

7. Create .pem file

Pem file is required to contain both your private key and certificate.

# openssl req -new -x509 -extensions v3_ca -keyout ca_cert.pem -out ca_cert.pem -days 3650
Generating a 2048 bit RSA private key
.........................+++
................................................+++
writing new private key to 'ca_cert.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

ls again to confirm .pem file is created

# ls
ca_cert.pem

8. Modify main.cf file

under postfix directory, inside main.cf file edit the following lines to enable TLS and SSL.

######SSL-AUTHENTICATION##########
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks 
TLS-AUTHENTICATION#########
smtp_use_tls = yes 
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtp.mymailserver.com.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.mymailserver.com.crt
smtpd_tls_CAfile = /etc/postfix/ssl/ca_cert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

 


9. Reload postfix

After editing main.cf file you need to reload postfix to update the configuration.

# postfix reload.

10. Test TLS or SSL

Now test your SSL configuration with telnet.

# telnet smtp.mymailserver.com 25

you will see the following output.

How to create SSL certificate in Linux
How to create SSL certificate in Linux - test SSL

 

 


This is it with the article How to create SSL certificate in Linux for your (Postfix) mail server

 

Download Our Free eBook now

Linux and UNIX Shell scripting ebook

1 Comment on How to create SSL certificate in Linux for your (Postfix) mail server

  1. Hi,I check your blog named “How to create SSL certificate in Linux for your (Postfix) mail server – TECHSAKH” daily.Your writing style is awesome, keep doing what you’re doing! And you can look our website about تحميل اغانى.

Leave a Reply

Your email address will not be published.


*


shares