Replace Postfix SSL certificate

Discussion in 'Installation/Configuration' started by wr19026, Feb 5, 2009.

  1. wr19026

    wr19026 New Member

    I must be braindead at the moment, but I have a problem with the Postfix SSL certificate.

    I set it up for the duration of 365 days and now it expired. I need to install a new one valid for 3650 days but can't get that to work using these commands:
    cd /etc/postfix/ssl/
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
    chmod 600 smtpd.key
    openssl req -new -key smtpd.key -out smtpd.csr
    openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
    openssl rsa -in smtpd.key -out smtpd.key.unencrypted
    mv -f smtpd.key.unencrypted smtpd.key
    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

    Even a /etc/init.d/postfix force-reload followed by /etc/init.d/postfix restart does not work, although all the files in the /etc/postfix/ssl have today's date stamp

    Any suggestions?
  2. wr19026

    wr19026 New Member

    The files in /etc/postfix/ssl all have yesterday's timestamp so that should not be the issue. Doesn't anyone know what I am doing wrong?
  3. falko

    falko Super Moderator ISPConfig Developer

    Is Postfix running chrooted? What's in your
  4. wr19026

    wr19026 New Member

    I used the perfect server setup for 6.06 and 6.10 (happens on both servers), so I don't think it's chrooted (I didn't knowingly set it up that way anyway.

    I see the "certificate expired" on my mail client when retrieving IMAP mail.

    Here is

    # See /usr/share/postfix/ for a commented, more complete version

    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = server.mydomain.dom
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    #mydestination = server.mydomain.dom, localhost.mydomain.dom, , localhost
    relayhost =
    mynetworks =
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom

    virtual_maps = hash:/etc/postfix/virtusertable

    mydestination = /etc/postfix/local-host-names
  5. falko

    falko Super Moderator ISPConfig Developer

    Then we are talking about the certificate of your IMAP server, not of Postfix. You can recreate them as follows (I'm citing from a PM I got a few weeks ago):

  6. wr19026

    wr19026 New Member

    This did the trick, thanks! And I increased the "days" value in mkimapdcert and mkpop3dcert so that I will not have the same problem again next year :)
  7. jonaugust

    jonaugust New Member

    .pem from certificate signing authority


    I have the same problem, but I don't want to self-sign. I have a .csr file (certificate signing request), the .key file (private key), and a .crt file (certificate).

    How do I make a .pem from those files with openssl?


Share This Page