Configuring Postfix on SLES 10 to Use GoDaddy Certificates

SUSE Linux Enterprise Server 10
 

To secure (encrypt) communication between a Postfix SMTP server and another SMTP server or client, certificates must be  configured.  The resolution listed below describes how to setup GoDaddy certificates with Postfix.  The process is likely similar with certificates provided by other certificate authorities, but can have subtle differences.

To begin the process of obtaining a GoDaddy certificate, a certificate signing request (csr) must be created along with a private key file.  This can be done using OpenSSL on the SuSE Linux Enterprise Server.  The private key file must be created first.  First, go to a terminal prompt and become the root user.  In the example below, the command is first given to become the superuser and then the commands are given to create a new directory where all files generated are kept.  A command is given to change to the new directory.  Lastly, a private key file by the name of 'hostname.key' is created.

NOTE:  It is important that the key file not be lost.  Please make backups of this file once obtained.

su -
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl
openssl genrsa -out hostname.key 1024


The 'hostname.key' file is then used by OpenSSL to generate the csr that will need to be presented to GoDaddy.  To generate a csr file with the name 'hostname.csr' issue the following command.

openssl req -new -nodes -key hostname.key -out hostname.csr

Upon issuing the command to create the csr file, a number of questions pertinent to the creation of the file will be asked.  An example is listed below.

NOTE:  When prompted for the "Common Name", the expected response is the fully qualified hostname of the server where the certificate will be implemented.  For the purposes of this document, this is the server where Postfix is installed.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:UT
Locality Name (eg, city) []:Provo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Widgits Inc
Organizational Unit Name (eg, section) []:Customer Services
Common Name (eg, YOUR name) []:mail.widgits.com
Email Address []:postmaster@widgits.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


At this point, the csr is ready to be submitted to GoDaddy for the process of minting the certificate.  It is important to note that when going through the process of submitting the csr to GoDaddy, the person going through the submission process will be asked to designate which type of application the certificate is intended for.  Possible answers include Tomcat, Apache, IIS and others.  Success has been seen when choosing Apache as the application the certificate is intended for.

After the csr has been submitted and the certificate has been approved, a zip file containing two files will be emailed to the submitter.  The filenames will be <Common Name entered in CSR process>.crt and gd_bundle.csr.  Place these two files in the /etc/postfix/ssl directory.

The private key file 'hostname.key' and the two files received from GoDaddy should now be concatenated into a single file. The file created in the example below is 'hostname.pem'.  Also, the filename 'mail.widgits.com.crt' used in the example will not match the filename of your certificate.  Please insert the correct filename.

cat hostname.key mail.widgets.com.crt gd_bundle.crt >> hostname.pem

The /etc/postfix/ssl directory should now contain 5 files.  In the example described thus far, the five files are:

hostname.key
hostname.csr
mail.widgits.com.crt
gd_bundle.crt
hostname.pem


Finally, the process of modifying Postfix can begin.  The two files needed to be modified for our example are '/etc/postfix/main.cf' and '/etc/postfix/master.cf'.  It would be best to first make a backup of the original files.

cp /etc/postfix/main.cf /etc/postfix/main.cf.org
cp /etc/postfix/master.cf /etc/postfix/master.cf.org


The following lines need to be added or modified in the main.cf file within a text editor.  Note that the first two lines point to files created during the process previously listed.

smtpd_tls_key_file = /etc/postfix/ssl/hostname.key
smtpd_tls_cert_file = /etc/postfix/ssl/hostname.pem
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_randome_source = dev:/dev/urandom

The only change to the master.cf file is to remove the remark from the beginning of the following line:

#tlsmgr    unix  -       -       n       1000?   1       tlsmgr

It should then look like this:

tlsmgr    unix  -       -       n       1000?   1       tlsmgr


At this point, Postfix needs to be restarted.

rcpostfix restart

Now is the time to perform a quick test to see if Postfix will allow a TLS connection.  From the terminal prompt, do the following:

telnet localhost 25
<a banner will appear>
ehlo localhost
<a number of allowed services will appear which should include STARTTLS>
STARTTLS
<no error should be returned>

If an error is returned, search first in the file '/var/log/mail.warn' .  This file will include any errors when attempting to read the certificate entries when Postfix is started.  It is common to have typographical errors cause issues.  Please make sure there are no spelling errors and that all entries and filenames are case sensitive.

The Postfix system should now be ready to communicate securely.