SSL in Postfix

9 posts / 0 new
Last post
#1 Sat, 03/08/2008 - 23:21
desperatedcoolman

SSL in Postfix

How do you enable SSL in Postfix?

I enabled the smtpd for ssl in "Server Process" page. now the program "master" is listening to port 465.

However, the maillog said there was no TSL cert. Is there any easy configuration that can be used in VirtualMin for this?

Mon, 03/10/2008 - 14:39
Joe
Joe's picture

You need to give it a certificate, just like it says. ;-)

You can do that in the Postfix module in the "SMTP Authentication And Encryption" page. You obviously need a certificate and key file (and, optionally, a Certificate Authority file if you're using a chained certificate like those sold by GoDaddy for about 20 bucks).

--

Check out the forum guidelines!

Tue, 03/11/2008 - 02:56 (Reply to #2)
desperatedcoolman

Thanks.

Where is the location of the default certificate of port 80?
I want to use that certificate for smtps.

Hope there could be an auto generated default server-wide cert named, say, "Virtualmin Server" in future releases of virtualmin.

Tue, 03/11/2008 - 23:46 (Reply to #3)
Joe
Joe's picture

It makes little sense for email (and really not a lot of sense for web) to make use of an auto-generated self-signed certificate. But for mail, in particular, the user would be utterly confused by the errors and warnings that would pop up. Both IE and Firefox are becoming more hostile to self-signed certs, as well, which is reasonable. Half of the purpose of certificates is identity--and self-signed certs don't provide identity information to your users, so they're 50% worthless. ;-)

I like the GoDaddy cheap certificates. They're about $20/year, and work fine with all of the services you'd want SSL enabled for (Apache, Webmin, Postfix, Dovecot, ProFTPd).

--

Check out the forum guidelines!

Tue, 03/11/2008 - 23:49 (Reply to #4)
Joe
Joe's picture

Oh, and there is no "default certificate for port 80". The concept of "default" anything is nonsensical with an Apache configured for use in virtual hosting...each VirtualHost has its own SSL certificate (if SSL is enabled) located in the home directory of the virtual server user.

It probably does make sense to make it easier to add a certificate for mail, Webmin and Usermin on the hostname of the box (or that of the hosting provider)...but web certificates go in the home of the virtual server and so no "central" option would be useful.

--

Check out the forum guidelines!

Thu, 03/13/2008 - 08:20 (Reply to #5)
desperatedcoolman

But, since I can't use port 25 at home, I need to use another port -- smtps.
Actually, I don't know much about what a cert is for, but I just want to have a secure connection like https for email. um... is an auto-generated cert not good for this?
Thanks very much for your time.

Thu, 03/13/2008 - 17:32 (Reply to #6)
Joe
Joe's picture

<div class='quote'>Actually, I don't know much about what a cert is for, but I just want to have a secure connection like https for email. um... is an auto-generated cert not good for this?</div>

A self-signed certificate will work--but most mail clients will be very chattery about the lack of identity. Rightly so, as not being able to verify this information leaves you open to a man-in-the-middle attack--which is what the encryption is also supposed to prevent (in either case, what an attacker needs is access to one of the routing points in between the client and the server in order to insert their packet logger or a proxy that logs, in the case of encrypted but non-verifiable traffic). Both are actually quite historically unlikely to be an issue--most of the points along the way are trustworthy (though the recent AT&amp;T and telecom immunity bills and such make that seem a more serious threat, and they would, of course, have the resources to make use of either attack vector and probably have done and continue to do so on behalf of the government).

There are ways to insure even a self-signed certificate is legit--check the actual public key against the one stored on your server, so you verify that it's not a proxy. Clients that aren't you can't do that--but you as an administrator can.

Anyway, if you don't care about the warnings, and take the time to verify the certificate is really the one you created when you accept it in your mail client, self-signed certs are as strong as ones from cert providers. For folks running a business with non-technical clients, this isn't an option. But a cheap-o chained cert from GoDaddy is fine.

--

Check out the forum guidelines!

Fri, 03/14/2008 - 07:36 (Reply to #7)
hescominsoon

how would i use the self-signed certificate form the virtualmin install in postfix?

Fri, 03/14/2008 - 13:25 (Reply to #8)
Joe
Joe's picture

Same way as with any other certificate that I mentioned above:

You can do that in the Postfix module in the &quot;SMTP Authentication And Encryption&quot; page. You obviously need a certificate and key file (and, optionally, a Certificate Authority file if you're using a chained certificate like those sold by GoDaddy for about 20 bucks).

--

Check out the forum guidelines!

Topic locked