Thanks for the response Victor...
On 4/18/2014 2:20 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
On Fri, Apr 18, 2014 at 02:06:20PM -0400, Charles Marcus wrote:
Ok, been wanting to do this for a while, and I after the Heartbleed fiasco,
the boss finally agreed to let me buy some real certs...
Until now, we've been using self-signed certs with the following postfix
settings:
smtpd_tls_cert_file = /etc/ssl/ourCerts/smtp_crt.pem
smtpd_tls_key_file = /etc/ssl/ourCerts/smtp_key.pem
You seem to know how to specify a private-key / public-key-certificate
chain pair...
Well... I did this a looong time ago, and probably stumbled badly...
I would say I am capable of following detailed instructions *usually*
without making a mistake, but I also don't really understand this stuff...
I don't even know the difference between a .pem and .crt, and definitaly
don't have a clue when iti comes to chainming certs or anything.
I'm trying to follow the instructions from RapidSSL, but they only
specifically document installs for web servers, and I did find an old
knowledgebase article about installing them for dovecot...
Here are their instructions in the email I got with my cert (obviously
NOT included):
1. INSTALL CERTIFICATE:
Install the X.509 version of your certificate included at the end of this
e-mail.
For installation instructions for your SSL Certificate, go to:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO16226
2. INTERMEDIATE CERTIFICATE ADVISORY:
You MUST install the RapidSSL intermediate Certificate on your server together
with your Certificate or it may not operate correctly.
** MICROSOFT IIS and TOMCAT USERS
Microsoft and Tomcat users are advised to download a PKCS #7 formatted
certificate from the GeoTrust User Portal:
https://products.geotrust.com/orders/orderinformation/authentication.do. PKCS
#7 is the default format used by these vendors during installation and includes
the intermediate CA certificate.
You can get your RapidSSL Intermediate Certificates at:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548
I've downloaded the 'Intermediate Bundle' at the above link, and that is what I
named RapidSSL_Intermediate.crt and referenced for the smtpd_tls_CAfile.
Now, I've created new keys/certs and the CSR, got the new certs from
RapidSSL (and also downloaded their Intermediate bundle), but can't find any
docs for installing with postfix.
http://www.postfix.org/TLS_README.html#server_cert_key
Thanks, but, honestly, that is all over my head...
I did find some random stuff on the internet (ugh), which is why I'm asking
for confirmation here...
smtpd_tls_cert_file = /etc/ssl/ourNewCerts/smtp.ourdomain.com.crt
smtpd_tls_key_file = /etc/ssl/ourNewCerts/smtp.ourdomain.com.key
smtpd_tls_CAfile = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
No. The correct approach is at:
http://www.postfix.org/TLS_README.html#server_cert_key
With legacy public CA trust verification, you can omit the root
certificate from the "server.pem" certificate file. If the
client trusts the root CA, it will already have a local copy
of the root CA certificate. Omitting the root CA certificate
reduces the size of the server TLS handshake.
% cat server_cert.pem intermediate_CA.pem > server.pem
linked from:
http://www.postfix.org/TLS_README.html#server_tls
linked from the top set of topic links in:
http://www.postfix.org/TLS_README.html
Thanks again, Victor, but again, that is all over my head.
--
Best regards,
Charles
