Creating an SSL certificate for Postfix/Courier IMAP on Ubuntu

Posted on by arjun

If your SSL certificate has expired and you have chosen to go with PositiveSSL(Comodo), this post may help you out.

1. Generate your Certificate Signing Request (CSR)

openssl req -new -nodes -newkey rsa:2048 -keyout servername.com.key -out servername.com.csr

2. Get your Certificate by signing the CSR file to Comodo and you will receive the Certificate by email.

3. Copy the certificate text in the email and create a new file on the server and append your certificate key generated in step 1. THe resulting file should look like this. Save it as servername.com.pem

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

Make sure there is a blank line at the end of your PEM file.

4. Create your bundle file using the following commands

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle.crt

5. On Ubuntu machines, open /etc/courier/imapd-ssl and change the following configurations

TLS_CERTFILE=/path/to/your/servername.com.pem
TLS_TRUSTCERTS=/path/to/your/bundle.crt

If your customers do not use Microsoft Office 2007 and earlier, add the following line

TLS_PROTOCOL=SSL3

6. Restart Courier IMAP

service courier-imap restart
service courier-imap-ssl restart

7. For Postfix, copy the certificate received in the Comodo email and save it as servername.com.crt file

8. Edit /etc/postfix/main.cf and change the following

smtpd_tls_cert_file = /path/to/your/servername.com.crt
smtpd_tls_key_file = /path/to/your/servername.com.key
smtp_tls_CAfile = /path/to/your/bundle.crt

9. Restart Postfix

service postfix restart

10. For Pop3d, edit the file /etc/courier/pop3d-ssl and change the following

TLS_CERTFILE=/path/to/your/servername.com.pem
TLS_TRUSTCERTS=/path/to/your/bundle.crt

11. Restart Pop3d services

service courier-pop restart
service courier-pop-ssl restart

12.Testing IMAP SSL and POP3 SSL

openssl s_client -connect servername.com:993
openssl s_client -connect servername.com:995

Both should successfully complete the SSL handshake if everything works.

One thought on “Creating an SSL certificate for Postfix/Courier IMAP on Ubuntu

Leave a Reply

Your email address will not be published. Required fields are marked *