Re: [opensuse] SSL/TLS on Postfix/Cyrus server

From: Marcus Meissner <meissner@xxxxxxx>
Date: Fri, 8 Apr 2011 10:36:02 +0200

On Thu, Apr 07, 2011 at 05:48:06PM -0500, Jim Flanagan wrote:

I've got my new install to handle basic smtp/imap. Clean 11.4 install,
Postfix/Cyurs imap/SASL using plain text passwords. Now I need to set up
SSL/TLS.

In the past I've used self rolled certs, but I think I'd rather use some
free certs like StartSSL. I beleive they do authenticated certs for one
years duration.

In any case, do I need one cert, or more than one? In the past for email
I've used mail.domain.com for both IMAP and SMPT, but that was not with
an authenticated cert. Do I need one for each service, and another for WWW?

I installed the yast2-ca-management but haven't done anything with it
yet. I'm also not sure where to place them when I get them done, but a
common location seems most logical. So, I'm not sure where to start to
produce the certs, or where to install them.

Any help or pointers to a good opensuse/cyrus flavored resource would me
much appreciated.

As long as the hostname is the same, you can use the same certificate.

Usual you could also request several names per certificate too (altNames)
for multiple hostnames.

my /etc/postfix/main.cf has:
smtpd_tls_cert_file = /etc/ssl/servercerts/servercert.pem
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem
smtp_tls_CApath = /etc/ssl/certs/

my /etc/imapd.conf (cyrus config) has:
tls_cert_file: /etc/ssl/servercerts/servercert.pem
tls_key_file: /etc/ssl/servercerts/serverkey.pem

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

Follow-Ups:
- Re: [opensuse] SSL/TLS on Postfix/Cyrus server
  - From: Jim Flanagan

References:
- [opensuse] SSL/TLS on Postfix/Cyrus server
  - From: Jim Flanagan

Prev by Date: Re: [opensuse] how to restore vmlinux and initrd
Next by Date: [opensuse] iconv - how do I make recognize 'unicode-1-1-utf-7' as utf-7 ?
Previous by thread: [opensuse] SSL/TLS on Postfix/Cyrus server
Next by thread: Re: [opensuse] SSL/TLS on Postfix/Cyrus server
Index(es):
- Date
- Thread

Relevant Pages

Re: Issue SSL Cert to Treo 700 for Windows MobileActivesync use
... You can install the certs on your 700w. ... The certificate is issued to the server and the same cert is installed on ... This server is already running IIS for OWA and has a Entrust ...
(microsoft.public.pocketpc.activesync)
RE: Correct provisioning of SDK certs on WM6 for service to autost
... I have tried provisioning the certs in a couple of ways but am currently ... to manually click on each of these certificates to install them. ... Nothing still explains why on WM5.0 my services will auto-start but on WM6 ... If I use the MS Security Configuration manager to provision the certs to the ...
(microsoft.public.pocketpc.developer)
Re: How does SBS create RWW certs?
... In the 2k3 era it was the web based cert, in the 2k8 era it's the domain based cert. ... As I see the SBS 2008 default install, there is no CA installed either. ... I had to install a CA when I wanted to implement an ISA server with 2008 in order to publish. ... SteveB commented that there is functionality for issuing certs in the wizard and that the wizard does not use generally accessable underlying functionality as it does for DNS, ...
(microsoft.public.windows.server.sbs)
Re: ActiveSync 4.0 with Exchange 2003 SP2 (Problems setting up sma
... Seems like all this is done using "private certs". ... If I buy a cert from ie Verisign, should I need to install CA on the device? ... regards KjetilP ... Lots of grief getting the Certificate ...
(microsoft.public.exchange.clients)
Re: standalone CA - cannot use browser to install certs
... IPSECCA1 = the Root CA, standalone, in a workgroup called WORKGROUP ... I can request certs, and then go to the cert ... download them to the local machine and double click them to install them. ...
(microsoft.public.security)