Mail server - secure connection, creating the SSL cert

The previous article looked at saslauthd. Now we need to concentrate on the certificate the connection will use when retrieving our mail.

This is completed using the same principles as when using a secure port (HTTPS) on a website. Let's start the process by creating a new SSL certificate.


Self signed

Note that we will be creating a self signed certificate which will produce a warning from your mail client (Mail, Thunderbird, Outlook, etc).

However, it will be fine if you are the only user of the mail server. You will need to purchase a valid certificate if other people or clients are using the mail server.

Create

Let's go ahead and create the certificate.

We're going to place the certificate in the default certificate folder in Ubuntu Hardy: /etc/ssl/certs.

You can place it in the postfix folder if you prefer.

sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/certs/mailcert.pem

You will be asked a series of questions regarding the details for the certificate.

I answered as follows:

Country Name - GB

State or Province - Nottinghamshire

Locality name - Nottingham

Organisation Name - PickledOnion Ltd

Organisational Unit Name - Mail

Hostname - mail.demoslice.com

Email address - admin@demoslice.com

Note is is important the Hostname matches the mail server hostname. In this case it was mail.demoslice.com.

Certificate

Now we have a self-signed certificate located here:

/etc/ssl/certs/mailcert.pem

We will use these details when configuring Postfix to use it for our secure connections.

Summary

Using secure connections is an important part of running a mail server - creating a self-signed certificates is an easy process but it does produce a warning when used.

You will need to purchase a certificate if you are to host other people's mail or have other people access the mail server.

The next article looks at configuring Postfix to utilise our certificate for secure connections.

PickledOnion

Article Comments:

Sipskin commented Sat Oct 11 15:06:48 UTC 2008:

Where would be the best place to get a cheap certificate from?

Scott Moody commented Mon Oct 13 21:28:33 UTC 2008:

Godaddy has the best prices from what I've seen.

Will commented Sat Jan 31 17:34:40 UTC 2009:

Why can't you use an openssl certificate? If you can, how would you go about doing that?

Austin commented Sat Feb 21 10:20:19 UTC 2009:

Will: make-ssl-cert is just script that uses uses OpenSSL

Musfuut commented Mon Mar 09 05:36:29 UTC 2009:

One limitation of the make-ssl-cert command it that the cert will expire in 30 days. I wrote a wiki page explaining how to create a long term cert.

http://wiki.slicehost.com/doku.php?id=sslcerts

I hope someone finds it helpful :)

Brian Armstrong commented Mon May 18 22:54:45 UTC 2009:

I use the GoDaddy cert, works just fine.

I left a comment in the next article with some more details: http://articles.slicehost.com/2008/9/2/mail-server-secure-connection-configuring-postfix

moped commented Fri May 29 04:16:06 UTC 2009:

on debian, i used this command to create a key and cert:

cd /etc/postfix openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509

then followed the instructions on the next page for a separate key and cert.

Moped commented Fri May 29 04:20:12 UTC 2009:

that's two separate commands:

cd /etc/postfix;

openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509

Matt commented Sun Jun 14 21:49:58 UTC 2009:

I wasn't prompted to answer any questions. Is that a difference between Hardy and Intrepid, or have I done something incorrectly?

Brian Armstrong commented Fri Jul 31 23:24:56 UTC 2009:

I also wasn't prompted to answer any questions this time through. Not sure why.

Morgan Croney commented Sat Sep 12 12:36:31 UTC 2009:

Matt/Brian: I am on Jaunty and also was not asked the additional questions.

Svetlana commented Thu Oct 29 00:08:40 UTC 2009:

I also wasn't prompted to answer any questions

Erik Barber commented Mon Dec 21 17:00:15 UTC 2009:

I would like to see an example of using a paid CA cert in your creating a SSL cert.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)