Postfix StartSSL

  1. Generate certificate request
    mkdir -p /root/ssl
    cd /root/ssl
    openssl req -new -newkey rsa:4096 -nodes -keyout mail.nindl.net.key -out mail.nindl.net.csr
  2. Generate mail.nindl.net.crt with the respective .csr on startssl.com and copy to /root/ssl/mail.nindl.net.crt
  3. Download the StartSSL Bundle
    wget https://www.startssl.com/certs/ca-bundle.pem -O startssl-ca-bundle.pem
    wget https://www.startssl.com/certs/sub.class1.server.ca.pem -O startssl-sub.class1.server.ca.pem
    cp /root/ssl/startssl-ca-bundle.pem /etc/ssl/certs/startssl-ca-bundle.pem
  4. Copy keys
    cp /root/ssl/mail.nindl.net.key /etc/ssl/private/postfix.pem
    cp /root/ssl/mail.nindl.net.crt /etc/ssl/certs/postfix.pem
    cat startssl-sub.class1.server.ca.pem >> /etc/ssl/certs/postfix.pem
  5. in /etc/postfix/main.cf
    smtpd_tls_cert_file=/etc/ssl/certs/postfix.pem
    smtpd_tls_key_file=/etc/ssl/private/postfix.pem
    smtpd_tls_CAfile=/etc/ssl/certs/startssl-ca-bundle.pem