QmailtoasterMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy


From Qmailtoaster

Security Certificate

To configure a SSL certificate for TLS and/or SSL over SMTP:

1) Create a private key using the triple des encryption standard (recommended):

# openssl genrsa -des3 -out servercert.key.enc 1024

2) Remove the pass phrase from the private key:

# openssl rsa -in servercert.key.enc -out servercert.key

3) Generate Certificate Request

# openssl req -new -key servercert.key -out servercert.csr

4) Go to DiscountWebCerts and submit servercert.csr for a trusted certificate ($19.95). You will then receive a servercert.crt. Now just do the following.

5) Create standard .pem in /var/qmail/control/servercert.pem

# cat servercert.key servercert.crt > /var/qmail/control/servercert.pem

  1. openssl x509 -req -days 365 -in servercert.csr -signkey servercert.key -out servercert.crt

Here is an additional resource with some good examples.


cat /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/intermediate.crt > /var/qmail/control/servercert.pem

This will join all three of them: The key, signed certificate and the intermediate certificate. You can use the same certificate you have obtained for your Apache website.

# chown root:vchkpw /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem

Note, in order to avoid verification errors in email clients (i.e. Outlook, Thunderbird, etc), you need to use the same server name (FQDN) in your client configuration(s) for both incoming (pop/imap) and outgoing (smtp) servers that was entered as the hostname when the certificate request was created. This should also be the same name that is used on the DNS MX record.

That's all there is to it. There is no need to restart qmail.

You can also use this signed certificate for apache by putting:

Be sure to check your /etc/httpd/conf.d/ssl.conf file to be certain that the correct file names are specified, and that the corresponding parameters are not commented out.

You need to restart apache to activate the modified certificate configuration.

See Building a Secure Redhat Apache Server HOWTO for guidance with securing your Apache Server.

Self-signed ssl cert gleaned from the archives

Quick-n-dirty how-to for ssl certs

# cd /usr/share/ssl/certs
# make stunnel.pem

# mv stunnel.pem /var/qmail/control/servercert.pem

Then run these commands to finish:

# cd /var/qmail/control
# chown root:qmail /var/qmail/control/servercert.pem
# chmod 644 /var/qmail/control/servercert.pem
# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

And that should take care of it for you...good till next year.

  1. openssl pkcs12 -export -in servercert.crt -inkey servercert.key -out OutlookSMTP.p12

Then import the OutlookSMTP.p12 file into the Trusted Root Certification Authorities store within Internet Explorer (Tools -> Internet Options -> Content -> Certificates, or by just double-clicking it). You will then be free to establish an SSL connection within Outlook to enforce tighter security.

Retrieved from "http://wiki.qmailtoaster.com/index.php/Certificate"

This page has been accessed 43,876 times. This page was last modified on 15 January 2011, at 21:23. Content is available under GNU Free Documentation License 1.2.


Main page
Community portal
Current events
Recent changes
Random page
View source
Editing help
This page
Discuss this page
New section
Printable version
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list