Dear All This is my continuation of postfix setup. Following link http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServerfor postfix setup. At one stage it says, Configuring The Server Setup SSL Certificate Now generate an SSL certificate for postfix and dovecot to have TLS support. Replace mail.example.com with your server hostname.> genkey --days 3650 mail.example.comMy doubt is , 1. I have to install a SSL certificate for for web server (apache case). I am planning to purchase a SSL certificate and put it. The same certificate will be useful for both web server and mail server OR both web and mail server needs to separate separate SSL certificates. 2. I hope for web server case, one must purchase a ssl certificate and use it (so that browsers will work smoothly without complain). For mail server can one use locally generated ssl certificate? Kindly let me know. Best Regards Austin
On 03/11/2013 07:05 PM, Austin Einter wrote:> Dear All > This is my continuation of postfix setup. > Following link > http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServerfor > postfix setup. > > At one stage it says, > Configuring The Server Setup SSL Certificate > > Now generate an SSL certificate for postfix and dovecot to have TLS > support. Replace mail.example.com with your server hostname. >> genkey --days 3650 mail.example.com > > > My doubt is , > > 1. I have to install a SSL certificate for for web server (apache case). I > am planning to purchase a SSL certificate and put it. The same certificate > will be useful for both web server and mail server OR both web and mail > server needs to separate separate SSL certificates. > > > 2. I hope for web server case, one must purchase a ssl certificate and use > it (so that browsers will work smoothly without complain). For mail server > can one use locally generated ssl certificate? > > > Kindly let me know. > > > Best Regards > > AustinHi, I use mail.domain.com, so I needed another certificate. I got the second certificate the same way I got the first, save for the change in the domain name. A self-signed certificate will trigger a warning for users. For this reason, I did not use self-signed and I suspect you don't want to use a self-signed, either. -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education?
For the WEB server it makes sens to have a certificate that is signed by a known CA. However, for postfix a self signed cert is just fine. When a user first connects with TLS, the mail client will complain. But with most mail clients (I use Thunderbird), you can get the certificate and store a permanent exception so it will never complain again. Other servers that make connections to deliver mail with STARTTLS generally don't care. Mike On 03/11/2013 07:05 PM, Austin Einter wrote:> Dear All > This is my continuation of postfix setup. > Following link > http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServerfor > postfix setup. > > At one stage it says, > Configuring The Server Setup SSL Certificate > > Now generate an SSL certificate for postfix and dovecot to have TLS > support. Replace mail.example.com with your server hostname. >> genkey --days 3650 mail.example.com > > My doubt is , > > 1. I have to install a SSL certificate for for web server (apache case). I > am planning to purchase a SSL certificate and put it. The same certificate > will be useful for both web server and mail server OR both web and mail > server needs to separate separate SSL certificates. > > > 2. I hope for web server case, one must purchase a ssl certificate and use > it (so that browsers will work smoothly without complain). For mail server > can one use locally generated ssl certificate? > > > Kindly let me know. > > > Best Regards > > Austin > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
On 03/11/2013 07:05 PM, Austin Einter wrote:> Dear All > This is my continuation of postfix setup. > Following link > http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServerfor > postfix setup. > > At one stage it says, > Configuring The Server Setup SSL Certificate > > Now generate an SSL certificate for postfix and dovecot to have TLS > support. Replace mail.example.com with your server hostname. >> genkey --days 3650 mail.example.com > > My doubt is , > > 1. I have to install a SSL certificate for for web server (apache case). I > am planning to purchase a SSL certificate and put it. The same certificate > will be useful for both web server and mail server OR both web and mail > server needs to separate separate SSL certificates. > > > 2. I hope for web server case, one must purchase a ssl certificate and use > it (so that browsers will work smoothly without complain). For mail server > can one use locally generated ssl certificate?In large measure it depends on the URL for both. I use a virtual host for webmail, different from the hostname. Also, typically, the email cert's URL is the host name, not the domain name. Though I have not studied DANE, and I may have that part wrong. With the same URL, you can use one cert. With different URLs, you typically need multiple certs, but there are ways using altName to have more than one URL in a cert. Talk to who you buy your cert from. For me, and the size of my community, I have gone with a self-signed cert. I was in discussions on this on a number of lists. I have filed a bug report on the RedHat default SSL cert: 906476, they create the default cert during firstboot, with the wrong extensions for a client cert. Here is what I have used: cd /etc/pki/tls openssl req -new -outform PEM -out certs/host.atdomain.com.crt -newkey rsa:2048 -nodes -keyout private/host.atdomain.com.key -keyform PEM -days 3650 -x509 -extensions v3_req Answer the prompts appropriately. You can then check this cert out with: openssl x509 -in certs/host.atdomain.com.crt -text -nameopt multiline -noout|more Then don't forget to change access to the private key: chmod 640 private/host.atdomain.com.key To each their own on certs. Note I participated in PKIX in the IETF and am the architect of the Bridge CA model used by the US gov's pki and the BioPharma pki, so I carry a bias on certificates. Also a group in my day job is the largest provider of client certificates in the world (according to our marketing) and one of the largest providers of server certs; but I am NOT part of that group.