meillo@179: meillo@179: ch /usr/share/ssl/misc meillo@179: meillo@179: create new CA: meillo@179: \begin{verbatim} meillo@179: CA.pl -newca meillo@179: country: DE meillo@179: state: schwaben meillo@179: city: Ulm meillo@179: company: meillo@179: section: meillo@179: name: meillo@179: emailaddress: meillo@179: \end{verbatim} meillo@179: meillo@179: generate ssl key: meillo@179: \begin{verbatim} meillo@179: CA.pl -newreq meillo@179: ... the same questions meillo@179: \end{verbatim} meillo@179: meillo@179: sign request with CA: meillo@179: \begin{verbatim} meillo@179: CA.pl -sign meillo@179: \end{verbatim} meillo@179: meillo@179: remove passphrase from private key: meillo@179: \begin{verbatim} meillo@179: openssl rsa key.pem meillo@179: (to be used by programs automaticly) meillo@179: \end{verbatim} meillo@179: meillo@179: secure: meillo@179: \begin{verbatim} meillo@179: chmod 400 *.pem meillo@179: cp newcert.pem /etc/postfix/cert.pem meillo@179: cp key.pem /etc/postfix/key.pem meillo@179: cp demoCA/cacert.pem /etc/postfix/CAcert.pem meillo@179: chmode 400 /etc/postfix/*.pem meillo@179: meillo@179: mkdir /etc/stunnel meillo@179: cat newcert.pem key.pem >/etc/stunnel/stunnel.pem meillo@179: chmod 400 /etc/stunnel/stunnel.pem meillo@179: (check /etc/stunnel with `stunnel -V') meillo@179: \end{verbatim} meillo@179: meillo@179: meillo@179: set up stunnels for POP, etc: meillo@179: \begin{verbatim} meillo@179: nmap localhost meillo@179: stunnel -d pop3s -r localhost:pop3 -p /etc/stunnel/stunnel.pem meillo@179: stunnel -d imaps -r localhost:imap -p /etc/stunnel/stunnel.pem meillo@179: nmap localhost meillo@179: pop3s 995 meillo@179: imaps 993 meillo@179: \end{verbatim} meillo@179: meillo@179: do not use stunnel wit SMTP: meillo@179: because all incoming mail would be from 127.0.0.1 !! meillo@179: use STARTTLS instead meillo@179: meillo@179: postfix: main.cf meillo@179: \begin{verbatim} meillo@179: smtpd_use_tls = yes meillo@179: smtpd_tls_received_header = no (does not log in received headers) meillo@179: meillo@179: smtpd_tls_key_file = /etc/postfix/key.pem meillo@179: smtpd_tls_cert_file = /etc/postfix/cert.pem meillo@179: smtpd_tls_CA_file = /etc/postfix/CAcert.pem meillo@179: meillo@179: smtp_use_tls = yes (use TLS for sending) meillo@179: smtp_tls_key_file = /etc/postfix/key.pem meillo@179: smtp_tls_cert_file = /etc/postfix/cert.pem meillo@179: smtp_tls_CA_file = /etc/postfix/CAcert.pem meillo@179: \end{verbatim} meillo@279: meillo@279: meillo@279: meillo@279: meillo@279: meillo@279: stunnel: meillo@279: $ stunnel -f -p stunnel.pem -l /path/to/smtpd