Setting up your own ssl certs for your Debian powered dovecot/postfix mail server

May 2nd, 2014 | By | Category: Linux / Freebsd

Fairly painless process, many thanks Workaround for these instructions

Dovecot

Here comes the command to create a Dovecot certificate:

openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem

What you enter in the fields is entirely your choice. The only notable exception is the “Common Name” which has to be exactly the name of your server in the way that users will access it. So if you tell your users to access your mail server at “mail.example.org” then this has to be entered here. This certificate will be valid for 10 years (10 times 365 days).

Do not forget to set the permissions on the private key so that no unauthorized people can read it:

chmod o= /etc/ssl/private/dovecot.pem

And you will have to restart Dovecot to make it read your new certificate:

/etc/init.d/dovecot restart

Postfix

To create a certificate to be used by Postfix use:

openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/postfix.pem -keyout /etc/ssl/private/postfix.pem

Do not forget to set the permissions on the private key so that no unauthorized people can read it:

chmod o= /etc/ssl/private/postfix.pem

You will have to tell Postfix where to find your certificate and private key because by default it will look for a dummy certificate file called “ssl-cert-snakeoil”:

postconf -e smtpd_tls_cert_file=/etc/ssl/certs/postfix.pem
postconf -e smtpd_tls_key_file=/etc/ssl/private/postfix.pem

Tags: , , , , ,

Leave a Comment