This is a document to help you convert your apache certs to qmail.
Please note that the common name you used needs to match the server name in order for your clients not to get the nag screen when they send emails via SSL or TLS.
In order to convert your apache cert, it is important to create the cert correctly. Here is how to do it:
First, We create the key:
# openssl genrsa -out domain.xxx.key 2048
You can substitute 2048 with 4096 for stronger encryption and make sure you replace YOURDOMAIN with your actual domain name.
Next, We need to add a password. Go ahead and type it and confirm.
Now create a csr:
# openssl req -new -key YOURDOMAIN.key -out YOURDOMAIN.csr
It is important to note here to type in all information for your company. When it asks for Common Name (eg, YOUR name) []: it is VERY IMPORTANT this field matches what your users are going to use for their mailserver name. If you are buying a cert for multiple domains, this will be the domain users use the most. When viewing a cert for multiple domains, the common will appear first and the others will show on the cert.
This is the csr you can you to generate your cert when asked by the domain you buy your cert from.
——————————————————————————————————————-
First lets backup the current /var/qmail/control folder first:
# mkdir /var/qmail/backup_control
# cp -Rp /var/qmail/control/* /var/qmail/backup_control
Please copy the .crt, .csr and the .key to the root folder. Then run the following to make a signed cert:
# cat /root/cert.key > /var/qmail/control/servercert.pem
# cat /root/cert.crt >> /var/qmail/control/servercert.pem
# cat /root/intermediate.crt >> /var/qmail/control/servercert.pem
And now lets set the permissions on the servercert.pem:
# chown root:qnofiles /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem
Now lets create the clientcert.pem file and the permissions:
# cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
# chown root:qmail /var/qmail/control/clientcert.pem
# chmod 640 /var/qmail/control/clientcert.pem
Now restart qmail in order to make the changes take effect:
# qmailctl restart
If you have any other services that reference the servercert.pem, you will want to restart those services as well. Such services could include smtpd-ssl and smtpd-tls (Just as an example)
Now if you decided to run imap, You can use the following to create imap certs as well.
# cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/imapd.pem
# cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/pop3d.pem
Now to restart the service(s)
# svc -t /service/courier-*
That will restart ALL the courier- services.
Now your customers will not get the annoying nag screen when people send mail via smtp-ssl, smtp-tls or via imap!
rom Qmailtoaster
Security Certificate
To configure a SSL certificate for TLS and/or SSL over SMTP:
1) Create a private key using the triple des encryption standard (recommended):
# openssl genrsa -des3 -out servercert.key.enc 1024
2) Remove the pass phrase from the private key:
# openssl rsa -in servercert.key.enc -out servercert.key
3) Generate Certificate Request
# openssl req -new -key servercert.key -out servercert.csr
4) Go to DiscountWebCerts and submit servercert.csr for a trusted certificate ($19.95). You will then receive a servercert.crt. Now just do the following.
5) Create standard .pem in /var/qmail/control/servercert.pem
# cat servercert.key servercert.crt > /var/qmail/control/servercert.pem
- NOTE – For reference, here is the command to sign the request for a self signed certificate:
- openssl x509 -req -days 365 -in servercert.csr -signkey servercert.key -out servercert.crt
Here is an additional resource with some good examples.
http://www.madboa.com/geek/openssl/#cert-self
-
- NOTE – Some certificate providers, like GoDaddy for example, will also give you a chain file (also sometimes called intermediate file), dump it into the same servercert.pem like so:
cat /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/intermediate.crt > /var/qmail/control/servercert.pem
This will join all three of them: The key, signed certificate and the intermediate certificate. You can use the same certificate you have obtained for your Apache website.
# chown root:vchkpw /var/qmail/control/servercert.pem # chmod 640 /var/qmail/control/servercert.pem
Note, in order to avoid verification errors in email clients (i.e. Outlook, Thunderbird, etc), you need to use the same server name (FQDN) in your client configuration(s) for both incoming (pop/imap) and outgoing (smtp) servers that was entered as the hostname when the certificate request was created. This should also be the same name that is used on the DNS MX record.
That’s all there is to it. There is no need to restart qmail.
You can also use this signed certificate for apache by putting:
- servercert.key in /etc/pki/tls/private/localhost.key
- servercert.crt in /etc/pki/tls/certs/localhost.crt
Be sure to check your /etc/httpd/conf.d/ssl.conf file to be certain that the correct file names are specified, and that the corresponding parameters are not commented out.
You need to restart apache to activate the modified certificate configuration.
See Building a Secure Redhat Apache Server HOWTO for guidance with securing your Apache Server.
Self-signed ssl cert gleaned from the archives
Quick-n-dirty how-to for ssl certs
# cd /usr/share/ssl/certs
# make stunnel.pem # mv stunnel.pem /var/qmail/control/servercert.pem
Then run these commands to finish:
# cd /var/qmail/control
# chown root:qmail /var/qmail/control/servercert.pem
# chmod 644 /var/qmail/control/servercert.pem
# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
Recent Comments