# Need help with postfix ssl keys/certificates

## redwood

Hi,

I've installed courier-imap/postfix/amavis/clamav/spamassasin/squirrelmail

on my small office lan following the Gentoo guides:

http://www.gentoo.org/doc/en/virt-mail-howto.xml

http://www.gentoo.org/doc/en/mailfilter-guide.xml

but am having trouble getting secure mail working.

When I follow the virt-mail-howto directions:

~root# cd /etc/ssl

~root# vi cnfopenssl.cnf

~root# cd misc

~root# ./CA.pl -newca

~root# ./CA.pl -newreq

~root# ./CA.pl -sign

~root# cp newcert.pem /etc/postfix

~root# cp newreq.pem /etc/postfix

~root# cp demoCA/cacert.pem /etc/postfix

I end up with a 0 length newcert.pem

So I then tried out the Debian guide:

http://www.debian-administration.org/articles/284

which suggested logging in as a normal user and creating the necessary

requests and certificates using that user's private key.

I also created an account at CACert.org and downloaded a server certificate

which I copied to /etc/postfix/cacert.pem:

# ls -l /etc/postfix/*.pem

-rw-r--r-- 1 root root 1253 Oct  5 23:13 /etc/postfix/cacert.pem

-rw-r--r-- 1 root root 1554 Feb  8 01:53 /etc/postfix/newcert.pem

-rw-r--r-- 1 root root  688 Oct  5 23:13 /etc/postfix/newreq.pem

But when I start postfix, I get the following error message:

Feb 13 11:28:39 deeds postfix/smtpd[1625]: sql_select option missing

Feb 13 11:28:39 deeds postfix/smtpd[1625]: auxpropfunc error no mechanism available

Feb 13 11:28:39 deeds postfix/smtpd[1625]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

Feb 13 11:28:39 deeds postfix/smtpd[1625]: initializing the server-side TLS engine

Feb 13 11:28:39 deeds postfix/smtpd[1625]: warning: cannot get private key from file /etc/postfix/newreq.pem

Feb 13 11:28:39 deeds postfix/smtpd[1625]: warning: TLS library problem: 1625:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY:

Feb 13 11:28:39 deeds postfix/smtpd[1625]: warning: TLS library problem: 1625:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:

Feb 13 11:28:39 deeds postfix/smtpd[1625]: cannot load RSA certificate and key data

Feb 13 11:28:39 deeds postfix/smtpd[1625]: connect from localhost[127.0.0.1]

My /etc/postfix/newreq.pem is an ascii encoded file:

-----BEGIN CERTIFICATE REQUEST-----

<-- long string of characters -->

-----END CERTIFICATE REQUEST-----

Any idea of what I'm doing wrong?

----------

## elgato319

i did it like this:

```

openssl req -new -x509 -nodes -out postfix.crt -keyout postfix.key

openssl x509 -x509toreq -signkey postfix.key -in postfix.crt

```

open postfix.crt and copy 

 *Quote:*   

> 
> 
> -----BEGIN CERTIFICATE REQUEST-----
> 
> ...
> ...

 

to cacert to get your certificate signed.

After it has been signed copy it all into postfix.crt, overwriting everything else.

main.cf

```

smtpd_use_tls = yes

smtpd_tls_auth_only = no

smtpd_tls_key_file = /etc/postfix/postfix.key

smtpd_tls_cert_file = /etc/postfix/postfix.crt

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtp_tls_key_file = /etc/postfix/postfix.key

smtp_tls_cert_file = /etc/postfix/postfix.crt

```

----------

## redwood

OK,

I gave your method a go.

I copied and pasted my postfix.crt to cacert.org's

server certificate request form.

I then copied their returned (signed) ascii certificate

over my postfix.crt which I then copied to /etc/postfix/

I also downloaded their Class3 PKI root certificate

which I then copied to my /etc/postfix/

I'm not really sure what the difference is between their

Class1 and Class3 root certificates.

I want their root certificate to be my certificate authority, right?

I restarted postfix and sent myself some test mail.

So far no errors in my /var/log/messages.

My settings for tls:

#grep tls /etc/postfix/main.cf

smtp_tls_note_starttls_offer = yes

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/postfix.key

smtpd_tls_cert_file = /etc/postfix/postfix.crt

smtpd_tls_CAfile = /etc/postfix/class3.crt

smtpd_tls_loglevel = 5

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

Thanks again.

----------

## elgato319

 *Quote:*   

> 
> 
> I want their root certificate to be my certificate authority, right? 
> 
> 

 

Correct.

----------

