On Tue, Dec 14, 2004 at 06:03:23AM +0000, [EMAIL PROTECTED] wrote: > Ce jour Mon, 13 Dec 2004, W.Andrew Loe III a dit: > > > I am trying to figure out how to re-build my SSL certificates for > > postfix and courier-imap. Right now my certificate for postfix has some > > errors on it (wrong CN), but I am able to download it and set it to be > > accepted by OS X (ends pop-ups in Mail.app). My courier-imap > > certificate does not work in OS X, I've tried using mkimapdcert in > > /usr/sbin/ but it is not generating certificates that are compatible > > with OS X. Suggestions on how I can use OpenSSL to generate > > certificates for both? > > i wrote a goofy script to create server certs:
try this one instead. it makes certificates which can either be used in a postfix-tls server or in a mail client for encryption and or relay authentication. (NOTE: i am far from an expert in SSL certificates. i wrote the script after reading various HOWTOs and notes on the web. it may or may not be the best way, or even a good way, of generating certificates. i probably wouldn't use it where identity & authentication was important. but it works for opportunistic encryption of mail transport and for client-certificate based relaying) ---cut here--- #! /bin/sh # make-postfix-cert.sh # Craig Sanders <[EMAIL PROTECTED]> 2000-09-03 # this script is hereby placed in the public domain. # this script assumes that you already have a CA set up, as the openssl # default "demoCA" under the current directory. if you haven't done it # already, run "/usr/lib/ssl/misc/CA.pl -newca" (or where the path to # openssl's CA.pl script is on your system). # # then run this script like so: # # ./make-postfix-cert.sh hostname.your.domain.com # # it will create the certificate and key files for that host and put # them into a subdirectory. site="$1" # edit these values to suit your site. COUNTRY="AU" PROVINCE="Victoria" LOCALITY="Melbourne" ORGANISATION="" ORG_UNIT="" COMMON_NAME=$site EMAIL="[EMAIL PROTECTED]" OPTIONAL_COMPANY_NAME="" # leave challenge password blank CHALLENGE_PASSWORD="" # generate a certificate valid for 10 years # (probably not a good idea if you care about authentication, but should # be fine if you only care about encryption of the smtp session) # comment this out if you want the openssl default (1 year, usually) DAYS="-days 3652" # create the certificate request cat <<__EOF__ | openssl req -new $DAYS -nodes -keyout newreq.pem -out newreq.pem $COUNTRY $PROVINCE $LOCALITY $ORGANISATION $ORG_UNIT $COMMON_NAME $EMAIL $CHALLENGE_PASSWORD $OPTIONAL_COMPANY_NAME __EOF__ # sign it openssl ca $DAYS -policy policy_anything -out newcert.pem -infiles newreq.pem # move it mkdir -p $site mv newreq.pem $site/key.pem chmod 400 $site/key.pem mv newcert.pem $site/cert.pem cd $site # create server.pem for smtpd cat cert.pem ../demoCA/cacert.pem key.pem >server.pem chmod 400 server.pem # create fingerprint file openssl x509 -fingerprint -in cert.pem -noout > fingerprint # uncomment to create pkcs12 certificate for netscape # (probably not needed) #openssl pkcs12 -export -in cert.pem -inkey key.pem \ # -certfile ../demoCA/cacert.pem -name "$site" -out cert.p12 cd .. ---cut here--- run it like so: ./make-postfix-cert.sh FQDN you should use the server's announced FQDN host-name as the server name in the certificate. once the cert has been created, copy $site/*.pem and demoCA/cacert.pem into /etc/postfix on the target system. and add the following to /etc/postfix/main.cf to enable TLS encryption. ---cut here--- smtpd_tls_cert_file = /etc/postfix/server.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_use_tls = yes smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_tls_CApath = /etc/postfix/certs smtp_tls_loglevel = 1 smtp_use_tls = yes smtp_tls_per_site = hash:/etc/postfix/tls_per_site smtp_tls_note_starttls_offer = yes tls_random_source = dev:/dev/urandom tls_daemon_random_source = dev:/dev/urandom ---cut here--- then: echo ". MAY" >/etc/postfix/tls_per_site postmap hash:/etc/postfix/tls_per_site mkdir /etc/postfix/certs /etc/init.d/postfix restart tls_per_site allows you to control which remote sites are offered TLS and which are not. useful because some sites have broken implementations so you need to disable TLS for them. if you want postfix to verify remote certs, you can put CA certs for them into /etc/postfix/certs. this is not strictly necessary - encryption works fine without cert verification. i run this as a matter of routine whenever i create a new mail host in my domain. if i'm doing it for a new domain, i copy the script to somewhere else (usually to somewhere on the target system) and create a new demoCA for that domain, and then run the script there for all hosts and relay clients in that domain. finally, to allow a client with a known cert to relay through postfix, first generate the cert just as if for a server, and then install the cert into the client (details vary according to the client) . run it like so: ./make-postfix-cert.sh USERNAME you can use pretty much anything as the USERNAME. to set up a postfix server to allow cert based relaying: 1. add "relay_clientcerts = hash:/etc/postfix/relay_clientcerts" to main.cf 2. add "permit_tls_clientcerts" to "smtpd_recipient_restrictions" in main.cf (immediately after "permit_mynetworks" is a good place). 3. add $site/fingerprint to /etc/postfix/relay_clientcerts 4. postmap hash:/etc/postfix/relay_clientcerts 5 "/etc/init.d/postfix reload" if this is the first time craig -- craig sanders <[EMAIL PROTECTED]> (part time cyborg) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]