====== Install CACert certificate for postfix smtp/tls ======
CAcert.org (https://www.cacert.org/) is a free cerfificate authority, if you join and verify that you have control over a domain (eg by recieving an email to hostmaster@...) then you can generate a certificate request. 
  * login to cacert, go to domains and add the FQDN of the server you will adding the certificates for.
  * When openssl asks for your name, enter the FQDN of the server

  $ openssl req -nodes -new -keyout private.key -out server.csr

Then you paste server.csr into the form on their web site and they email you back a certificate, save this as server.crt.

Get the CAcert public key and copy everything into place:

  wget http://www.cacert.org/cacert.crt
  cp cacert.crt /etc/postfix/ssl/cacert.pem
  cp private.key /etc/postfix/ssl/newreq.pem
  cp server.crt /etc/postfix/ssl/newcert.pem
 
This is for main.cf, see also the other stuff above:

  smtpd_tls_key_file = /etc/postfix/ssl/newreq.pem
  smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem
  smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

===== Refreshing the certificate: =====

  * Got to the cacert site and refresh the certificate
  * open /etc/postfix/ssl/newcert.pem and paste in the new certificate
  * restart postfix
  * test sending a mail with tls enabled

Source: https://wiki.slugbug.org.uk/Postfix_TLS

{{tag>postfix linux security}}

~~LINKBACK~~
~~DISCUSSION~~