932
edits
Changes
m
changing domain to .ops
'''Perform the following steps:'''
#Let's start with the "sending" SMTP server we have on VM2. Run the following, replacing <u>andrewsmith.orgops</u> with '''<u>your</u> domain name''':
<source lang="bash">mkdir -p /root/postfix-keys /etc/ssl/{private,certs}
cd /root/postfix-keys
openssl genrsa -des3 -out vm2.andrewsmith.orgops.key 2048chmod 600 vm2.andrewsmith.orgops.keyopenssl req -new -key vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.csropenssl x509 -req -days 365 -in vm2.andrewsmith.orgops.csr -signkey vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.crtopenssl rsa -in vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.key.nopassmv vm2.andrewsmith.orgops.key.nopass vm2.andrewsmith.orgops.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm2.andrewsmith.orgops.key cakey.pemcp vm2.andrewsmith.orgops.key cakey.pem /etc/ssl/privatecp vm2.andrewsmith.orgops.crt cacert.pem /etc/ssl/certs</source>
::'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and sign your certificate with your certificate authority.<br>This would be the same as in the real world except there you would contact a real CA, here you're making up your own.
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.orgops.keysmtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.orgops.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
tls_random_source = dev:/dev/urandom
'''Perform the following steps:'''
#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.orgops''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').
# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.
#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:
# Let's start by generating a new certificate for Dovecot on your vm3 machine by issuing the following commands:
<source lang="bash">mkdir /etc/ssl/{private,certs}
openssl genrsa -des3 -out vm3.andrewsmith.orgops.key 2048chmod 600 vm3.andrewsmith.orgops.keyopenssl req -new -key vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.csropenssl x509 -req -days 365 -in vm3.andrewsmith.orgops.csr -signkey vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.crtopenssl rsa -in vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.key.nopassmv vm3.andrewsmith.orgops.key.nopass vm3.andrewsmith.orgops.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm3.andrewsmith.orgops.key cakey.pemcp vm3.andrewsmith.orgops.key cakey.pem /etc/ssl/privatecp vm3.andrewsmith.orgops.crt cacert.pem /etc/ssl/certs</source>
::'''NOTE:''' This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine you can share the certificate between them. In our case, they are not on the same machine.
