ch /usr/share/ssl/misc

create new CA:
\begin{verbatim}
	CA.pl -newca
		country: DE
		state: schwaben
		city: Ulm
		company:
		section:
		name:
		emailaddress:
\end{verbatim}

generate ssl key:
\begin{verbatim}
	CA.pl -newreq
		... the same questions
\end{verbatim}

sign request with CA:
\begin{verbatim}
	CA.pl -sign
\end{verbatim}

remove passphrase from private key:
\begin{verbatim}
	openssl rsa <newreq.pem >key.pem
	(to be used by programs automaticly)
\end{verbatim}

secure:
\begin{verbatim}
	chmod 400 *.pem
	cp newcert.pem /etc/postfix/cert.pem
	cp key.pem /etc/postfix/key.pem
	cp demoCA/cacert.pem /etc/postfix/CAcert.pem
	chmode 400 /etc/postfix/*.pem

	mkdir /etc/stunnel
	cat newcert.pem key.pem >/etc/stunnel/stunnel.pem
	chmod 400 /etc/stunnel/stunnel.pem
	(check /etc/stunnel with `stunnel -V')
\end{verbatim}


set up stunnels for POP, etc:
\begin{verbatim}
	nmap localhost
	stunnel -d pop3s -r localhost:pop3 -p /etc/stunnel/stunnel.pem
	stunnel -d imaps -r localhost:imap -p /etc/stunnel/stunnel.pem
	nmap localhost
		pop3s 995
		imaps 993
\end{verbatim}

do not use stunnel wit SMTP:
because all incoming mail would be from 127.0.0.1 !!
use STARTTLS instead

postfix: main.cf
\begin{verbatim}
	smtpd_use_tls = yes
	smtpd_tls_received_header = no (does not log in received headers)

	smtpd_tls_key_file = /etc/postfix/key.pem
	smtpd_tls_cert_file = /etc/postfix/cert.pem
	smtpd_tls_CA_file = /etc/postfix/CAcert.pem

	smtp_use_tls = yes  (use TLS for sending)
	smtp_tls_key_file = /etc/postfix/key.pem
	smtp_tls_cert_file = /etc/postfix/cert.pem
	smtp_tls_CA_file = /etc/postfix/CAcert.pem
\end{verbatim}





stunnel:
$ stunnel -f -p stunnel.pem -l /path/to/smtpd