below commands one by one for creating SSL Cert.  

 -------------------------------------------------   

yum -y install openssl

[root@www ~]# cd /etc/pki/tls/certs

[root@www certs]# make server.key

umask 77 ; \

/usr/bin/openssl genrsa -aes128 2048 > server.key

Generating RSA private key, 2048 bit long modulus

......................................................++++++

.............++++++

e is 61251 (0x10001)

Enter pass phrase:# set passphrase

Verifying - Enter pass phrase:# confirm

# remove passphrase from private key

[root@www certs]# openssl rsa -in server.key -out server.key

Enter pass phrase for server.key:# input passphrase

writing RSA key

[root@www certs]#

[root@www certs]# make server.csr

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:BD

State or Province Name (full name) []:Dhaka

Locality Name (eg, city) [Default City]:Dhaka

Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.

Organizational Unit Name (eg, section) []:worldcm.net

Common Name (eg, your name or your server's hostname) []:mail.worldcm.net

Email Address []: admin@worldcm.net

A challenge password []:# Enter

An optional company name []:# Enter

[root@www certs]#

[root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok

subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.srv.world/emailAddress=xxx@srv.world Getting Private key

[root@www certs]# chmod 400 server.*

[root@www certs]# chmod 400 server.*

                            ----------------------------------------------------------------------

    Configure Postfix and Dovecot for SSL.

[root@mail ~]# vi /etc/postfix/main.cf

# add follows to the end

smtpd_use_tls = yes

smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt

smtpd_tls_key_file = /etc/pki/tls/certs/server.key

smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

[root@mail ~]# vi /etc/postfix/master.cf

# line 17-18: uncomment

smtps       inet   n       -       n       -       -       smtpd

  -o smtpd_tls_wrappermode=yes

[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf

# line 6: uncomment

ssl = yes

# line 12,13: specify certificates

ssl_cert = </etc/pki/tls/certs/server.crt

ssl_key = </etc/pki/tls/certs/server.key

[root@mail ~]# /etc/rc.d/init.d/postfix restart

Shutting down postfix: [ OK ]

Starting postfix: [ OK ]

[root@mail ~]# /etc/rc.d/init.d/dovecot restart

Stopping Dovecot Imap: [ OK ]

Starting Dovecot Imap: [ OK ]

[3]     If IPTables is running, allow SMTPS/POP3S/IMAPS port. SMTPS uses 465/TCP, POP3S uses 995/TCP, IMAPS uses 993/TCP. For "-I INPUT 5" section below, Replace it to your own environment.

[root@dlp ~]# iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT

[root@dlp ~]# iptables -I INPUT 6 -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT

[root@dlp ~]# iptables -I INPUT 7 -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT

 [ figure 1]

root@mail ~]# yum -y install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain

[root@mail ~]# mkdir /etc/postfix/ssl

[root@mail ~]# cd /etc/postfix/ssl/

[root@mail ssl]# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

[root@mail ssl]# chmod 600 smtpd.key

[root@mail ssl]# openssl req -new -key smtpd.key -out smtpd.csr                                   [ Enter pass phrase for smtpd.key: passwd: 1234 0r domainNmae] 

All necessary values for the certificate can be given:

Country Name (2 letter code) [XX]:BD

State or Province Name (full name) []:Dhaka

Locality Name (eg, city) [Default City]:Dhaka

Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.

Organizational Unit Name (eg, section) []:worldcm.net

Common Name (eg, your name or your server's hostname) []:mail.worldcm.net

Email Address []: admin@worldcm.net

A challenge password []:world

An optional company name []: worldcm

[root@mail ssl]# openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

[root@mail ssl]# openssl rsa -in smtpd.key -out smtpd.key.unencrypted

[root@mail ssl]# mv -f smtpd.key.unencrypted smtpd.key

[root@mail ssl]# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 365

Country Name (2 letter code) [XX]:BD

State or Province Name (full name) []:Dhaka

Locality Name (eg, city) [Default City]:Dhaka

Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.

Organizational Unit Name (eg, section) []:worldcm.net

Common Name (eg, your name or your server's hostname) []:mail.worldcm.net

Email Address []: admin@worldcm.net

                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX--------OR----------XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Enable TLS Encryption for Postfix

[root@mail ~]#mkdir /etc/ssl/private/   [ figure 2]

[root@mail ~]# cd /etc/ssl/

[root@mail ssl]#chmod 777 private

# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/postfixcert.pem -keyout /etc/ssl/private/postfixkey.pem

                                                                                                                                          [ Enter pass phrase for smtpd.key: passwd: 1234 0r domainNmae] 

Country Name (2 letter code) [XX]:BD

State or Province Name (full name) []:Dhaka

Locality Name (eg, city) [Default City]:Dhaka

Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.

Organizational Unit Name (eg, section) []:worldcm.net

Common Name (eg, your name or your server's hostname) []:mail.worldcm.net

Email Address []: admin@worldcm.net

Enable SSL Encryption for Dovecot

[root@mail ~]#mkdir /etc/ssl/private/

[root@mail ~]# cd /etc/ssl/

[root@mail ssl]#chmod 777 private

[root@mail ssl]#openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecotcert.pem -keyout /etc/ssl/private/dovecotkey.pem

             All necessary values for the certificate can be given:

             ------------------------------------------------------                             [ Enter pass phrase for smtpd.key: passwd: 1234 0r domainNmae] 

Country Name (2 letter code) [XX]:BD

State or Province Name (full name) []:Dhaka

Locality Name (eg, city) [Default City]:Dhaka

Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.

Organizational Unit Name (eg, section) []:worldcm.net

Common Name (eg, your name or your server's hostname) []:mail.worldcm.net

Email Address []: admin@worldcm.net

root@mail:~# vim /etc/dovecot/conf.d/10-ssl.conf

   6 ssl = yes

 12 ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

 13 ssl_key = </etc/pki/dovecot/private/dovecot.pem

---------OR-----------------

ssl_cert = </etc/ssl/certs/dovecotcert.pem

ssl_key = </etc/ssl/private/dovecotkey.pem

Finally, dovecot is restarted to enable SSL with the new certificate.

root@mail:~# service dovecot restart

-----------------------------------------------

main.cf 

root@mail:~# vim /etc/postfix/main.cf

     18 submission inet n       -       n        -       -       smtpd

     19    -o syslog_name=postfix/submission

     20    -o smtpd_tls_security_level=encrypt

     21    -o smtpd_sasl_auth_enable=yes

     22 #   -o smtpd_reject_unlisted_recipient=no

     23 #  -o smtpd_client_restrictions=$mua_client_restrictions

     24 #  -o smtpd_helo_restrictions=$mua_helo_restrictions

     25 #  -o smtpd_sender_restrictions=$mua_sender_restrictions

     26 #   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

     27#    -o milter_macro_daemon_name=ORIGINATING

     28 #   -o broken_sasl_auth_clients=yes

     29   

     30 smtps     inet  n       -       n       -       -       smtpd

     31    -o syslog_name=postfix/smtps

     32    -o smtpd_tls_wrappermode=yes

     33    -o smtpd_sasl_auth_enable=yes

     34#   -o smtpd_reject_unlisted_recipient=no

     35 #  -o smtpd_client_restrictions=$mua_client_restrictions

     36 #  -o smtpd_helo_restrictions=$mua_helo_restrictions

     37 #  -o smtpd_sender_restrictions=$mua_sender_restrictions

     38 #   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

     39#    -o milter_macro_daemon_name=ORIGINATING

     40 #   -o broken_sasl_auth_clients=yes

     41 

#######################################################################################################################

                                                                                                        TLS

Basic Postfix authentification over SSL (SASL + TLS)

As you might know, Postfix is really a big software that can deal with very complex situations - Mortals like me (software developers are mortals, sysadmin are not) only have to handle simple scenarios, involving few email accounts. So, basically my needs are to restrict email submission to users authenticated over a secure connection. 

Postfix can use many underlying authentification systems. I just needed to have the smtp senders accounts to be in sync with the unix accounts (same user/pass).

The procedure below have been tested with Postfix 2.2.x under CentOS.

1) Postfix conf

Edit /etc/postfix/main.cf and add these new directives :

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_application_name = smtpd

Search the smtpd_recipient_restrictions directive and add permit_sasl_authenticated. It should looks like :

smtpd_recipient_restrictions = permit_mynetworks,

permit_sasl_authenticated,

reject_non_fqdn_sender,

reject_non_fqdn_recipient,

reject_unauth_destination

reject_unauth_pipelining,

reject_invalid_hostname

2) SASL conf

Check that you have the cyrus-sasl rpms available on your system - if not, yum install cyrus-sasl, yum install cyrus-sasl-plain

Create if needed and edit /usr/lib/sasl2/smtp.conf :

pwcheck_method: saslauthd

mech_list: PLAIN LOGIN

3) TLS security

We might stop here and jump to step 4 but we don't : this solution is totally unsecure due to the fact that the authentification datas are sent over the net without beeing encrypted.

The added security of using ssl to encrypt transferts is worth a another little effort. 

Edit main.cf again and add :

smtpd_tls_auth_only = yes 

smtpd_tls_req_ccert = yes

smtp_use_tls = yes

smtpd_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/postfix/tls/privkey.pem

smtpd_tls_cert_file = /etc/postfix/tls/cert.pem

smtpd_tls_CAfile = /etc/postfix/tls/cert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

Then, we need to generate the ssl certificat and private key :

cd /etc/postfix

mkdir tls

cd tls 

openssl req -new -x509 -nodes -out cert.pem -days 3650

chmod 600 *

4) Final step

service postfix reload

configure your MUA (Mail User Agent, eg Thunderbird) accordingly (user/pass).

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 Generate Postfix Self-Signed Certificate

We need to generate a self-signed SSL certificate to be used with Postfix and Dovecot.

[root@geekpeek ~]# mkdir /etc/postfix/ssl [root@geekpeek ~]# cd /etc/postfix/ssl/ [root@geekpeek ssl]# openssl genrsa -out postfix.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ .............+++ e is 65537 (0x10001) [root@geekpeek ssl]# openssl req -new -key postfix.key -out postfix.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:BD State or Province Name (full name) []: Dhaka Locality Name (eg, city) [Default City]:Dhaka Organization Name (eg, company) [Default Company Ltd]:Worldcm Network. Organizational Unit Name (eg, section) []:worldcm.com Common Name (eg, your name or your server's hostname) []:mail.worldcm.com Email Address []:admin@worldcm.com

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@geekpeek ssl]# openssl x509 -req -days 3650 -in postfix.csr -signkey postfix.key -out postfix.crtSignature ok subject=/C=BD/L=Dhaka/O=worldcmNetwork/CN=mail.worldcm.net/emailAddress=admin@worldcm.com Getting Private key

Reconfigure Postfix

Add the following lines to the bottom of the “/etc/postfix/main.cf” file:

# SSL/TLS smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/postfix.key smtpd_tls_cert_file = /etc/postfix/ssl/postfix.crt smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom   # SASL smtpd_sasl_type = dovecot broken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous

Also we need to edit “/etc/postfix/master.cf” file and uncomment the following lines:

/etc/postfix/master.cf

submission inet n - n - - smtpd  -o smtpd_tls_security_level=encrypt  -o smtpd_sasl_auth_enable=yes  -o smtpd_client_restrictions=permit_sasl_authenticated,reject  -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd  -o smtpd_tls_wrappermode=yes  -o smtpd_sasl_auth_enable=yes  -o smtpd_client_restrictions=permit_sasl_authenticated,reject  -o milter_macro_daemon_name=ORIGINATING

Reconfigure Dovecot

/etc/dovecot/conf.d/10-ssl.conf

# Uncomment  ssl = yes  # Change to point to SSL cert generated in Step 15  ssl_cert = </etc/postfix/ssl/postfix.crt  ssl_key = </etc/postfix/ssl/postfix.key

Restart Postfix and Dovecot

# /etc/init.d/postfix restart

# /etc/init.d/dovecot restart