Postfix: A self signed certificate or CSR.

without comments

To create a certificate to be used by Postfix use:

openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/postfix.pem -keyout /etc/ssl/private/postfix.pem

Do not forget to set the permissions on the private key so that no unauthorized people can read it:

chmod o= /etc/ssl/private/postfix.pem

You will have to tell Postfix where to find your certificate and private key because by default it will look for a dummy certificate file called “ssl-cert-snakeoil”:

postconf -e smtpd_tls_cert_file=/etc/ssl/certs/postfix.pem
postconf -e smtpd_tls_key_file=/etc/ssl/private/postfix.pem

To check the running Postfix SSL, and if it works correct. You could just enter:

openssl s_client -connect localhost:smtps | tee /tmp/smtps.check (then enter quit)

Then you could do a

less /tmp/smtps.check

to check the SSL certificate, Certificate chain and so on
same works for dovecot:

openssl s_client -connect localhost:imaps | tee /tmp/imaps.check (then enter QUIT)
openssl s_client -connect localhost:pop3s | tee /tmp/pop3s.check (then enter QUIT)


See for Dovecot SSL configuration. Dovecot requires the *.pem extension on all of the files it uses, including the key file. You can use an OpenSSL utility to make the *.pem file if you have a key file. As it says on that Dovecot documentation page, “The key file’s permissions should be restricted to only root (and possibly ssl-certs group or similar if your OS uses such). Dovecot opens both of these files while still running as root, so you don’t need to give Dovecot any special permissions to read them (in fact: do not give dovecot user any permissions to the key file).” So, chown and chgrp to root and chmod to 0400 for the key file and you should be good to go for Dovecot.

If you are using some other MTA (like Postfix), your mileage may vary….. I’ve been using Dovecot for a while now.

Creating a CSR for Postfix

Creating a CSR for Postfix is exactly like creating a CSR for Apache installations using OpenSSL.
Generate a private key and a public Certificate Signing Request (CSR) by using the following command:

openssl req -new -newkey rsa:4096 -nodes -keyout *.key -out *.csr

This creates a two files. The file myserver.key is the private key – carefully protect this private key. In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is integral in the SSL process.

Entering data for the CSR

You will now be asked to enter data for your CSR. Please enter your company’s location information into the country, state, and locality fields.

If you are an international customer in a country which does not have states, you may use your country name in the state field.

Please spell out all state and city names. For example, if your company is in Texas, please use “Texas” rather than “TX”.

When you arrive at the step which asks for your organization’s name, please use your company’s full name, including any suffixes such as “Inc” or “LLC”. You may specify a company department, or simply “Web” in the organizational unit field.

For the common name, this is where you enter the full web address of your site. For example, and are acceptable while is not. If your certificate is for an intranet server, you may use the name of the server on your internal network. When ordering a Wildcard SSL Certificate use the form *

You will now have the opportunity to set a password for the private key. If you do choose to set a password, your private key will be useless if you forget the password. In addition, you will be required to provide this password to Apache each time it starts.
Now that your CSR is ready, you can copy and paste the contents of the CSR file.

You should also verify on content of request with

openssl req -in /etc/postfix/tls/*.csr -text -verify -noout

Additional steps:

1 .
mkdir /etc/postfix/tls
chown root:root /etc/postfix/tls
chmod 0500 /etc/postfix/tls
cd /etc/postfix/tls

chown root:root /etc/postfix/tls/*.key
chmod 0400 /etc/postfix/tls/*.key
chown root:root /etc/postfix/tls/*.csr
chmod 0400 /etc/postfix/tls/*.csr

chown root:postfix /etc/postfix/tls/*.cert
chmod a=r /etc/postfix/tls/*.cert

You check contents of this file with
openssl x509 -in /etc/postfix/tls/*.cert -text -noout

chown root:postfix /etc/postfix/tls/root.cert
chmod a=r /etc/postfix/tls/root.cert

You can examine root certificate in detail with this command
openssl x509 -in /etc/postfix/tls/root.cert -text -noout

5. Optional

cp /etc/postfix/tls/root.cert /usr/lib/ssl/certs/CAcert.org_Root_Certificate.pem
c_rehash /usr/lib/ssl/certs

After installation of root certificate, you should test installation like this:

openssl verify /etc/postfix/tls/*.cert
/etc/postfix/tls/*.cert: OK

If installation failed you probably get message like this:

openssl verify /etc/postfix/tls/*.cert 
/etc/postfix/tls/*.cert: /
error 20 at 0 depth lookup:unable to get local issuer certificate


smtp_tls_CAfile = /etc/postfix/tls/root.crt
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_security_level = may
smtp_tls_loglevel = 1

smtpd_tls_CAfile = /etc/postfix/tls/root.crt
smtpd_tls_cert_file = /etc/postfix/tls/*.cert
smtpd_tls_key_file = /etc/postfix/tls/*.key
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

on Debian ca-certificates users should alternatively do same except on these lines
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Make sure that $data_directory is set.

Getting certificate fingerprint

openssl x509 -noout -fingerprint -sha1 -in /etc/postfix/tls/*.cert
SHA1 Fingerprint= ..................................

Written by spectre

May 10th, 2014 at 5:37 pm

Posted in Postfix & Amavis

Leave a Reply