Postfix, TLS and how to change the certificate

Discussion in 'Server Operation' started by wr19026, Apr 28, 2006.

  1. wr19026

    wr19026 New Member

    I have the Virtual Users And Domains With Postfix, Courier And MySQL (+ SMTP-AUTH, Quota, SpamAssassin, ClamAV) setup running very well now for a month or two but what is a bit annoying is that every time I (re)start Firefox to access my e-mail I get these warnings about the certificate not being aligned with the host (certificate is for localhost and when I access my mailserver it's via name.domain.dom).

    So, here's my question: how do I replace the generic certificate with one I created myself? Is this, as described in the perfect setup (for Ubuntu 5.10 in my case):
    mkdir /etc/postfix/ssl
    cd /etc/postfix/ssl/
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
    chmod 600 smtpd.key
    openssl req -new -key smtpd.key -out smtpd.csr
    openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
    openssl rsa -in smtpd.key -out smtpd.key.unencrypted
    mv -f smtpd.key.unencrypted smtpd.key
    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

    postconf -e 'smtpd_tls_auth_only = no'
    postconf -e 'smtp_use_tls = yes'
    postconf -e 'smtpd_use_tls = yes'
    postconf -e 'smtp_tls_note_starttls_offer = yes'
    postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
    postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
    postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
    postconf -e 'smtpd_tls_loglevel = 1'
    postconf -e 'smtpd_tls_received_header = yes'
    postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
    postconf -e 'tls_random_source = dev:/dev/urandom'

    Whereby all the postconf stuff would be intended as an enhancement to the TLS setup as described in the Virtual Users with Postfix etc. HOWTO.

    Any risks if I do what's described above? I'm not running ISPConfig by the way.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you get the error message 1) when you send email or 2) when you access your pop3 I imap mailbox?

    1) replace the postfix ssl certificate as you posted above.
    2) Your problem is related to the certificates used by courier, not postfix.
  3. wr19026

    wr19026 New Member

    It's not a real errormessage, more of a warning that the certificate is for another machine (localhost) than the host I'm connecting with. It happens when starting up Firefox (the only e-mail client I use) to connect with my IMAP server.

    So I guess that based on your response the issue is not with the Postfix certificates but with the Courier certificates. How do I fix those?
  4. falko

    falko Super Moderator Howtoforge Staff

    ou mean Thunderbird, not Firefox, I guess?

    Have a look here:

Share This Page