Setting up Postfix+Dovecot with SSL/TLS using a CA signed certificate (GoDaddy TurboSSL) was time consuming and not very straight forward.
Here are the steps I took to get it working properly. Note: This is assuming that you have Postfix/SASL+Dovecot pre-installed and working perfectly with self-signed certificates. If you haven’t completed these steps I’m uncertain that these steps will work.
Login as root.
sudo su
Change dir to /root
cd ~
Generate private key. You will be prompted to set a password for the key. For best security, it should at least contain eight characters, include numbers and/or punctuation, and *not* be a word in a dictionary.
openssl genrsa -des3 -out mail.key 1024
Protect your private key.
chmod 600 mail.key
Generate a Certificate Signing Request (CSR). You will be prompted for your mail.key password you set previously, and company information.
IMPORTANT: Make certain the Common Name (CN) and/or Fully Qualified Domain Name (FQDN) matches your mail domain name, eg mail.mydomain.com otherwise connecting email clients will most likely fuss about it, and mobile email clients will most certainly refuse to connect.
openssl req -new -key mail.key -out mail.csr
Note: The contents of mail.csr should be submitted to a (trusted) Certificate Authority, in my case GoDaddy.com, to be Signed. You will receive a .CRT file (Signed Certificate) that will need to be placed on your server. (I put mine in /root with the other certificate files to tar later.)
Assuming you have submitted the CSR to a trusted CA, and the .crt file is /root/mail.crt, you now need to create a x509 compliant certificate from your newly signed certificate.
openssl x509 -in mail.crt -outform PEM -out mail.pem
Generate an unencrypted version of your private key to be used with Postfix and Dovecot.
openssl rsa -in mail.key -out mail.key.unencrypted
cp ./mail.key ./mail.key.encrypted
mv -f mail.key.unencrypted mail.key
Copy the unencrypted priavte key to /etc/ssl/private.
cp ./mail.key /etc/ssl/private/mail.key
Copy the x509 certificate to /etc/ssl/certs.
cp ./mail.pem /etc/ssl/certs/mail.pem
Update the Postfix configuration.
nano /etc/postfix/main.cf
Add/Edit these lines and save:
mydomain = mydomain.com
myhostname = mail.mydomain.com
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
Update the Dovecot configuration.
nano /etc/dovecot/dovecot.conf
Add/Edit these lines and save:
ssl_cert_file = /etc/ssl/certs/mail.pem
ssl_key_file = /etc/ssl/private/mail.key
Restart Postfix and Dovecot so the changes take affect.
/etc/init.d/postfix restart
/etc/init.d/dovecot restart
That’s it! You should now have working ESMTP, IMAPS, and POP3S and no complaints from email client software or email user base.
Resources:
https://help.ubuntu.com/8.04/serverguide/C/certificates-and-security.html
http://www.projektfarm.com/en/support/howto/postfix_smtp_auth_tls.html
