SSL

---------

SSL-Certificates

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt

--------------------

+

1: mai_xxx_net.crt2: CA3: Intermediate Certificate CA4: Global Root CA.pem-----------------------------------1: mail_workdcm_net.crt2: DigiCertCA.crt3: DigiCert TLS RSA SHA256 2020 CA1.pem4: DigiCert Global Root CA.pem
---------------------sectigo.com / COMODO-------------windows-Linux------------------1: Your EssentialSSL Wildcard Certificate - STAR_worldcm_net.crt2: Intermediate CA Certificate - USERTrustRSAAAACA.crt3: Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt4: Root CA Certificate - AAACertificateServices.crt

1=  STAR_pgonceramicbd_com.crt2=  AAACertificateServices.crt3=  SectigoRSADomainValidationSecureServerCA.crt4=  USERTrustRSAAAACA.crt----
-------------Go Daddy Secure Certificate Authority -----------------
  1. gd_bundle-g2-g1.crt
  2. 7b2a1ba0b3cd12fc.pem
  3. 7b2a1ba0b3cd12fc.crt


(  1st add   7b2a1ba0b3cd12fc.pem + gd_bundle-g2-g1.crt = mail.worldcm.net.crt )


###- SASL + Paid SSL-##

#smtpd_use_tls = yes#smtpd_tls_security_level = may#smtpd_tls_auth_only = yes#smtpd_tls_key_file = /etc/postfix/ssl/worldcm.com.key#smtpd_tls_cert_file = /etc/postfix/ssl/worldcm2022.crt#smtpd_tls_loglevel = 0#smtpd_tls_received_header = yes#smtpd_tls_session_cache_timeout = 3600s#tls_random_source = dev:/dev/urandom#smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2

###SASL

smtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yes

####---SSL Paid---###

smtpd_use_tls = yes#smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt#smtpd_tls_key_file = /etc/pki/tls/certs/server.keysmtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache###----2022 Paid SSL-----#smtpd_tls_cert_file = /etc/pki/tls/certs/worldcm2022.crtsmtpd_tls_key_file = /etc/pki/tls/certs/worldcm.com.key

WEBMIN:

Private key file :    /etc/pki/tls/certs/worldcm.net.key

Certificate file : /etc/pki/tls/certs/worldcm.net.2023.crt


OLD:

Private key file :    /etc/webmin/miniserv.pem

Certificate file :     Same file as private key 




Create an encrypted file for smtpd

dh2048.pem and dh512.pem are files with DH parameters that the Postfix SMTP server uses for EDH encryption.

cert.pem is a PEM-formatted file with a Postfix SMTP server RSA certificate.

privkey.pem is a file in PEM format with a Postfix SMTP server RSA private key.

$  mkdir -p /etc/postfix/ssl/worldcm/

$  openssl dhparam -out /etc/postfix/ssl/worldcm/dh2048.pem 2048 $  openssl dhparam -out /etc/postfix/ssl/worldcm/dh512.pem 512

$  mkdir -p /etc/postfix/ssl/selfsigned/ $  openssl req -new -newkey rsa:4096 -days 3658 -sha256 -nodes -x509 \       -subj "/C=JP/ST=Shizuoka/L=Shizuoka/O=Mailserver certificate/OU=Mail/CN=www.ドメイン名/emailAddress=admin@ドメイン名" \       -keyout /etc/postfix/ssl/selfsigned/privkey.pem \       -out /etc/postfix/ssl/selfsigned/cert.pem

vim /etc/postfix/main.cf

                     -----------------------------

# # Smtp # smtp_tls_loglevel            = 1smtp_tls_security_level      = may#smtp_tls_CAfile              =  smtp_tls_protocols           = !SSLv2, !SSLv3smtp_tls_mandatory_protocols = !SSLv2, !SSLv3smtp_tls_mandatory_ciphers   = highsmtp_tls_exclude_ciphers     = aNULL, eNULL, EXPORT, DES, 3DES, RC2, RC4, MD5, PSK, SRP, DSS, AECDH, ADHsmtp_tls_note_starttls_offer = yes# # Smtpd # smtpd_tls_loglevel            = 1smtpd_tls_auth_only           = yessmtpd_tls_security_level      = maysmtpd_tls_received_header     = yessmtpd_tls_protocols           = !SSLv2, !SSLv3smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_mandatory_ciphers   = medium#smtpd_tls_CAfile              = $smtp_tls_CAfile smtpd_tls_cert_file           = /etc/postfix/ssl/selfsigned/cert.pemsmtpd_tls_key_file            = /etc/postfix/ssl/selfsigned/privkey.pemsmtpd_tls_dh1024_param_file   = /etc/postfix/ssl/worldcm/dh2048.pem

smtpd_tls_dh512_param_file    = /etc/postfix/ssl/worldcm/dh512.pem

tls_preempt_cipherlist = yestls_random_source      = dev:/dev/urandomsmtp_tls_session_cache_database  = btree:${data_directory}/smtp_scachesmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachelmtp_tls_session_cache_database  = btree:${data_directory}/lmtp_scache# # SASL # smtpd_sasl_auth_enable          = yessmtpd_sasl_type                 = dovecotsmtpd_sasl_path                 = private/authsmtpd_sasl_security_options     = noanonymoussmtpd_sasl_tls_security_options = $smtpd_sasl_security_optionssmtpd_sasl_local_domain         = $mydomainsmtpd_sasl_authenticated_header = yesbroken_sasl_auth_clients = yes

Editing master.cf

#   vim /etc/postfix/master.cf

submission inet n       -       n       -       -       smtpd   -o syslog_name=postfix/submission   -o smtpd_tls_dh1024_param_file=/etc/postfix/ssl/dhparams/dh2048.pem   -o smtpd_tls_security_level=encrypt   -o smtpd_sasl_auth_enable=yes   -o smtpd_client_restrictions=permit_sasl_authenticated,reject#  -o milter_macro_daemon_name=ORIGINATING 465       inet  n       -       n       -       -       smtpd   -o syslog_name=postfix/smtps   -o smtpd_tls_wrappermode=yes   -o smtpd_sasl_auth_enable=yes   -o smtpd_reject_unlisted_recipient=no   -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                      -----------------------------

#  vim /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/postfix/ssl/selfsigned/cert.pemssl_key = </etc/postfix/ssl/selfsigned/privkey.pemssl_dh_parameters_length = 2048ssl_cipher_list = EECDH+AES:EDH+AES+aRSAssl_prefer_server_ciphers = yes

$  systemctl restart postfix.service $  systemctl restart dovecot.service

------