The previous article looked at Saslauthd. Now let's concentrate on the SSL certificate we'll use for secure connections to our mail server.
The principles involved are the same ones we employed when setting up a secure website (HTTPS). The first step is the creation of a new SSL certificate.
Note that we will be creating a self signed certificate which will produce a warning from your mail client (Mail, Thunderbird, Outlook, etc).
However, it will be fine if you are the only user of the mail server. You will need to purchase a valid certificate if other people or clients are using it as well.
To generate the certificate we'll use the 'genkey' command. This command is part of the crypto-utils package and can be installed as follows:
sudo yum install crypto-utils
Now we can create the certificate key pair:
sudo genkey --days 3650 mail.demoslice.com
To ensure that our SSL certificate won't expire anytime soon, you can see that we used 3650 as the amount of days the certificate will remain valid.
An on screen prompt will appear which states where our finished key and certificate files will be stored.
Select the Next option and hit the ENTER/RETURN key to move to the next screen, where we will choose the key size. Let's stick with the default of 1024 bits of encryption.
After selecting next, we will see a loading screen while the key is being generating. Please note it may take some time before the key is fully generated.
We are not going to send a Certificate Signing Request (CSR) to a Certificate Authority (CA) so select No when asked.
You will then be asked a series of questions needed to complete the details of the certificate.
My answers are as follows:
Note is is important the Hostname matches the mail server hostname. In this case it's mail.demoslice.com.
Finally, we have the option to encrypt your private key. We want to skip this section as setting a passphrase on our certificate will require us to enter this passphrase every time the mail server is restarted, which is not very practical.
The self-signed certificate key pair should now be found in the locations we noted earlier:
We will need these details when configuring Postfix for use with our secure connections.
Using secure connections is an important part of running a mail server. Creating a self-signed certificate is an easy process when combined with the genkey command, but it does produce a warning when used.
You will need to purchase a certificate if you plan to host other people's mail or have other people accessing the mail server.
The next article looks at configuring Postfix to utilize our certificate for secure connections.