Tuesday, March 11, 2014

Certificate for courier esmtpd

To enable SSL/TLS support for the ESMTP, you need to have a server certificate. Usually, the installation process of the package in a Linux distribution will create a default, self-signed certificate for you. However, if you want to create a proper certificate for your site, following is some simple steps to do so.

First, you need to generate a key for your server if you don't already have one:
openssl genrsa -out server.key 2048
With that key, you can then generate a certificate request:
openssl req -new -key server.key -out server.csr
If you did not customize your openssl.cnf configuration file, the above command will prompt you for the details of identify for the server in the certificate. Answer all questions as you please except for the common name "CN", which should be the host name to connect to your server.

Now, you need to get a Certificate Authority to sign your request. For example, if you have a demoCA setup for your openssl installation, you can do:
openssl ca -config openssl.cnf -policy policy_anything -out server.crt -infiles server.csr
This results in the certificate file server.crt. You then can combine the server key and certificate files to create the certificate file for the courier mail server.
cat server.key server.crt > esmtpd.pem
This used to be sufficient. However, the newer version (0.73) of courier requires a "DH parameters" block in the certificate file. This can be generated and appended with:
openssl dhparam 1024 >> esmtpd.pem
Now, you can point the "TLS_CERTFILE" in all the configuration files to the certificate esmtpd.pem and restart your server.