[opensuse] Help with mail server Certs - Again
Hi all, Wow, the lists sure are slow these days. I set up my new email server over the weekend, and have plain text logins working fine. I need to set up my certs to allow TLS/SSL for internet email access. I've had problems doing this in the past and could use some consice guidance with this. What I 'd like to do is issue a self signed cert for imap and smtp. I suppose I could just issue a cert, but would rather it be signed. Here is what I tried over the weekend with no success, I keep getting timed out accessing via Thunderbird (on the local machine). $>mkdir /etc/postfix/ssl $>cd cd /etc/postfix/ssl/ $>openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 $>chmod 600 smtpd.key $>openssl req -new -key smtpd.key -out smtpd.csr $>openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt $>openssl rsa -in smtpd.key -out smtpd.key.unencrypted $>mv -f smtpd.key.unencrypted smtpd.key $>openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 Any help most welcome. Thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Nov 23, 2009 at 10:05:14AM -0600, Jim Flanagan wrote:
I set up my new email server over the weekend, and have plain text logins working fine. I need to set up my certs to allow TLS/SSL for internet email access. I've had problems doing this in the past and could use some consice guidance with this.
What I 'd like to do is issue a self signed cert for imap and smtp. I suppose I could just issue a cert, but would rather it be signed.
Please give the YaST CA module a try. It allows you to setup your own Certification Authority which even goes beyond one single cert. An alternative might be to use something like http://www.cacert.org/ I bet there are many pros and cons available from the net. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Lars Müller wrote:
On Mon, Nov 23, 2009 at 10:05:14AM -0600, Jim Flanagan wrote:
I set up my new email server over the weekend, and have plain text logins working fine. I need to set up my certs to allow TLS/SSL for internet email access. I've had problems doing this in the past and could use some consice guidance with this.
What I 'd like to do is issue a self signed cert for imap and smtp. I suppose I could just issue a cert, but would rather it be signed.
Please give the YaST CA module a try. It allows you to setup your own Certification Authority which even goes beyond one single cert.
An alternative might be to use something like http://www.cacert.org/ I bet there are many pros and cons available from the net.
Lars
I tried that, but I'm not EXACTLY clear on what I'm doing here. I do like the automation of this very much. What I want to wind up with is a self signed cert for both smtp and imap for mail.jjfiii.com, preferably only one cert, that does not require a password and is not encrypted so email clients can connect with no hassle, just import the cert once. I made 2 Certificate Authorities, one for jjfiii.com (for making certs for Apache after I get my email set up right) and another for mail.jjfiii.com. Now that I'm writing this that seems redundant. In any case that process forced me to insert a password. Then I selected the mail.jjfiii.com CA and entered it, giving password. (I suppose I only need one CA for my little home server, and that the jjfiii.com CA can make a mail.jjfiii.com cert?). Then I created a server certificate, but was unclear as to the options about encrypting, password, which options to export etc. Then I created a CSR and signed it. Unclear again here about what options to use to export. I wound up with one smtpd.crt, no smtpd.key, or cacert.pem or cakey.pem. That obviously didn't work. I'll take another try at it again. Meantime would welcome any pointers here. As you can tell I'm not an expert on this, but understand the need to keep my server (and remote email logins) private and secure. Small as this little setup is. I'm really liking 11.2. As with everything new it takes awhile to get used to, but so far so good. Many thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Jim Flanagan
-
Lars Müller