13,420
edits
Changes
no edit summary
== INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE ==
According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security), '''Transport Layer Security''' (TLS) and its predecessor, '''Secure Sockets Layer''' (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.
Normally (in production) you need to pay a certificate authority to issue a certificate for you. That's essentially a signed public key that will tell strangers on the internet your server is really yours (the certificate authority says so). There's an obvious problem with the previous statement but that's mostly how public key encryption works on the internet today.
* Your .crt file is your public key.
=== Encrypting Postfix with Transport Layer Security (TLS) === '''Perform the following steps:''' #Let's start with the "sending" SMTP server we have on VM2. Run the following, replacing andrewsmith.org with your own domain name:
<source lang="bash">cd /root/postfix-keys
cp vm2.andrewsmith.org.crt cacert.pem /etc/ssl/certs/</source>
:'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and a sign your certificate with your certificate authority. Same as in the real world except there you would contact a real CA, here you're making up your own.
<ol><li value="2">Now configure Postfix to use it, by adding the following to your main.cf file:</li></ol>
<pre># Settings to enable secure SMTP using my self-signed certificate: