Create SSL certificates

SSL certificates will be used by Postfix (for SMTPS and TLS), Courier (for IMAPS and POP3S) and Apache (for HTTPS). We store all the certificates in one directory.

mkdir /usr/local/ssl cd /usr/local/ssl

Generate the RSA private-key for the server. We don't want a pass phrase on this key, otherwise it will need to be entered every time courier/apache/postfix starts.

openssl genrsa -out mail.yourdomain.com.key 1024

Generating RSA private key, 1024 bit long modulus
...................++++++
........................++++++
e is 65537 (0x10001)

Tighten the permissions on this key file:

chmod 600 mail.yourdomain.com.key

Generate a certificate request:

openssl req -new -key mail.yourdomain.com.key -out mail.yourdomain.com.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: <-- BE
State or Province Name (full name) [Berkshire]: <-- Limburg
Locality Name (eg, city) [Newbury]: <-- Beringen
Organization Name (eg, company) [My Company Ltd]: <-- howtoforge
Organizational Unit Name (eg, section) []: <-- Hosting Services
Common Name (eg, your name or your server's hostname) []: <-- mail.yourdomain.com
Email Address []: <-- postmaster@yourdomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- password
An optional company name []:

At this point you would send your CSR off to a Certificate Authority for signing (such as Verisign or Thawte) . However if you wanted to do some in-house testing, we can set ourselves up as a CA, and then sign the CSR ourselves :

Generate RSA private-key for the CA:

openssl genrsa -des3 -out ca.key 1024

Generating RSA private key, 1024 bit long modulus
.....................++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: <-- capass
Verifying - Enter pass phrase for ca.key: <-- capass

Tighten permissions on this private key:

chmod 600 ca.key

Create a self signed CA certificate:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Enter pass phrase for ca.key: <-- capass
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- Country Name (2 letter code) [GB]: <-- BE
State or Province Name (full name) [Berkshire]: <-- Limburg
Locality Name (eg, city) [Newbury]: <-- Beringen
Organization Name (eg, company) [My Company Ltd]: <-- howtoforge
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: <-- mail.yourdomain.com
Email Address []: <-- postmaster@yourdomain.com

Use this test CA to sign our server cert:

openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -in mail.yourdomain.com.csr -out mail.yourdomain.com.crt

Signature ok
subject=/C=AU/ST=SomeState/L=SomePlace/O=Test CA Company/OU=SomeGroup/CN=CA Signing Biz/emailAddress=postmaster@nowhere
Getting CA Private Key
Enter pass phrase for ca.key: <-- capass

Combine the server key and certificate into a single file. Postfix and Apache can deal with two separate files, but Courier needs them both in one. To try and keep things consistent we will use a single file with all 3 apps. Create the pem file in the format that courier wants (both the key and the cert in one file):

cat mail.yourdomain.com.key mail.yourdomain.com.crt > mail.yourdomain.com.pem

chmod 600 mail.yourdomain.com.pem

OK so you should now have something like this :

ls -al

total 36
drwxr-xr-x 2 root root 4096 Nov 28 22:02 .
drwxr-xr-x 14 root root 4096 Nov 20 21:50 ..
-rw-r--r-- 1 root root 1371 Nov 28 21:50 ca.crt
-rw------- 1 root root 963 Nov 28 21:47 ca.key
-rw-r--r-- 1 root root 1001 Nov 28 21:51 mail.yourdomain.com.crt
-rw-r--r-- 1 root root 773 Nov 28 21:45 mail.yourdomain.com.csr
-rw------- 1 root root 887 Nov 28 21:45 mail.yourdomain.com.key
-rw------- 1 root root 1888 Nov 28 22:02 mail.yourdomain.com.pem

 

Configuration

Make sure you are the ROOT user again and not the mail user (exit or su root).

To make things easy, I would advice to install phpmyadmin (http://www.phpmyadmin.net/). This will make it easier to work with the MySQL database.

I choose to work with Postfix Admin (http://high5.net/page7.html), an excellent PHP, multi-user postfix GUI. Postfix Admin enables: forwarding, vacation, mailbox creation, …. But you are free to change the structure to what you want. Install Postfix Admin: download the latest package from the download page. Make sure that you are in your WWW directory and then unarchive the Postfix Admin archive (whatever the filename is):

tar -zxvf postfixadmin-2.*.*.tgz

Since the database password is stored in the config.inc.php it's a good idea to change the permissions for Postfix Admin.

cd postfixadmin
chmod 640 *.php *.css
cd postfixadmin/admin/
chmod 640 *.php .ht*
cd postfixadmin/images/
chmod 640 *.gif *.png
cd postfixadmin/languages/
chmod 640 *.lang
cd postfixadmin/templates/
chmod 640 *.tpl
cd postfixadmin/users/
chmod 640 *.php

 

Mysql db structure

In DATABASE_MYSQL.TXT you can find the table structure for MySQL that you need in order to configure Postfix Admin and Postfix in general to work with Virtual Domains and Users. In DATABASE_PGSQL.TXT you can find the table structure for PostgreSQL.

mysql -u root [-p] < DATABASE_MYSQL.TXT

Check the config.inc.php file. There you can specify settings that are relevant to your setup.

Postfix Admin contains 3 views of administration. There is the Site Admin view, located at http://www.yourdomain.com/postfixadmin/admin/. There is the Domain Admin view, located at http://www.yourdomain.com/postfixadmin/. And there is the User Admin View, located at http://www.yourdomain.com/postfixadmin/users/.

In order to do the initial configuration you have to go to the Site Admin view.

The default password for the Site Admin view of Postfix Admin is admin/admin.

This is specified in the .htpasswd file in the /admin directory. Make sure that the location of the .htpasswd file matches your path.

You can make a new domain and a test mailbox.