SSL
---------
SSL-Certificatescat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt
--------------------+
1: mai_xxx_net.crt2: CA3: Intermediate Certificate CA4: Global Root CA.pem-----------------------------------1: mail_workdcm_net.crt2: DigiCertCA.crt3: DigiCert TLS RSA SHA256 2020 CA1.pem4: DigiCert Global Root CA.pem---------------------sectigo.com / COMODO-------------windows-Linux------------------1: Your EssentialSSL Wildcard Certificate - STAR_worldcm_net.crt2: Intermediate CA Certificate - USERTrustRSAAAACA.crt3: Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt4: Root CA Certificate - AAACertificateServices.crt
1= STAR_pgonceramicbd_com.crt2= AAACertificateServices.crt3= SectigoRSADomainValidationSecureServerCA.crt4= USERTrustRSAAAACA.crt----
-------------Go Daddy Secure Certificate Authority -----------------
- gd_bundle-g2-g1.crt
- 7b2a1ba0b3cd12fc.pem
- 7b2a1ba0b3cd12fc.crt
( 1st add 7b2a1ba0b3cd12fc.pem + gd_bundle-g2-g1.crt = mail.worldcm.net.crt )
###- SASL + Paid SSL-##
#smtpd_use_tls = yes#smtpd_tls_security_level = may#smtpd_tls_auth_only = yes#smtpd_tls_key_file = /etc/postfix/ssl/worldcm.com.key#smtpd_tls_cert_file = /etc/postfix/ssl/worldcm2022.crt#smtpd_tls_loglevel = 0#smtpd_tls_received_header = yes#smtpd_tls_session_cache_timeout = 3600s#tls_random_source = dev:/dev/urandom#smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2###SASL
smtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yes####---SSL Paid---###
smtpd_use_tls = yes#smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt#smtpd_tls_key_file = /etc/pki/tls/certs/server.keysmtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache###----2022 Paid SSL-----#smtpd_tls_cert_file = /etc/pki/tls/certs/worldcm2022.crtsmtpd_tls_key_file = /etc/pki/tls/certs/worldcm.com.keyWEBMIN:
Private key file : /etc/pki/tls/certs/worldcm.net.key
Certificate file : /etc/pki/tls/certs/worldcm.net.2023.crt
OLD:
Private key file : /etc/webmin/miniserv.pem
Certificate file : Same file as private key
Create an encrypted file for smtpd
dh2048.pem and dh512.pem are files with DH parameters that the Postfix SMTP server uses for EDH encryption.
cert.pem is a PEM-formatted file with a Postfix SMTP server RSA certificate.
privkey.pem is a file in PEM format with a Postfix SMTP server RSA private key.
$ mkdir -p /etc/postfix/ssl/worldcm/
$ openssl dhparam -out /etc/postfix/ssl/worldcm/dh2048.pem 2048 $ openssl dhparam -out /etc/postfix/ssl/worldcm/dh512.pem 512
$ mkdir -p /etc/postfix/ssl/selfsigned/ $ openssl req -new -newkey rsa:4096 -days 3658 -sha256 -nodes -x509 \ -subj "/C=JP/ST=Shizuoka/L=Shizuoka/O=Mailserver certificate/OU=Mail/CN=www.ドメイン名/emailAddress=admin@ドメイン名" \ -keyout /etc/postfix/ssl/selfsigned/privkey.pem \ -out /etc/postfix/ssl/selfsigned/cert.pem
# vim /etc/postfix/main.cf
-----------------------------
# # Smtp # smtp_tls_loglevel = 1smtp_tls_security_level = may#smtp_tls_CAfile = smtp_tls_protocols = !SSLv2, !SSLv3smtp_tls_mandatory_protocols = !SSLv2, !SSLv3smtp_tls_mandatory_ciphers = highsmtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, 3DES, RC2, RC4, MD5, PSK, SRP, DSS, AECDH, ADHsmtp_tls_note_starttls_offer = yes# # Smtpd # smtpd_tls_loglevel = 1smtpd_tls_auth_only = yessmtpd_tls_security_level = maysmtpd_tls_received_header = yessmtpd_tls_protocols = !SSLv2, !SSLv3smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_mandatory_ciphers = medium#smtpd_tls_CAfile = $smtp_tls_CAfile smtpd_tls_cert_file = /etc/postfix/ssl/selfsigned/cert.pemsmtpd_tls_key_file = /etc/postfix/ssl/selfsigned/privkey.pemsmtpd_tls_dh1024_param_file = /etc/postfix/ssl/worldcm/dh2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/ssl/worldcm/dh512.pem
tls_preempt_cipherlist = yestls_random_source = dev:/dev/urandomsmtp_tls_session_cache_database = btree:${data_directory}/smtp_scachesmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachelmtp_tls_session_cache_database = btree:${data_directory}/lmtp_scache# # SASL # smtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_security_options = noanonymoussmtpd_sasl_tls_security_options = $smtpd_sasl_security_optionssmtpd_sasl_local_domain = $mydomainsmtpd_sasl_authenticated_header = yesbroken_sasl_auth_clients = yes
Editing master.cf
# vim /etc/postfix/master.cf
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_dh1024_param_file=/etc/postfix/ssl/dhparams/dh2048.pem -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATING 465 inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-----------------------------
# vim /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/postfix/ssl/selfsigned/cert.pemssl_key = </etc/postfix/ssl/selfsigned/privkey.pemssl_dh_parameters_length = 2048ssl_cipher_list = EECDH+AES:EDH+AES+aRSAssl_prefer_server_ciphers = yes
$ systemctl restart postfix.service $ systemctl restart dovecot.service
------