TLS – Submission / Port 587

email server – Port 587

These instructions work so that you can support multiple websites (virtual hosting) and you can use the same cert for your primary website and your email. (only one email domain name can be signed with a cert). If you have already have your ssl and put all the pieces where they belong, skip down to the lines where you update main.cf.

On the webserver:

dnf -y install mod_ssl openssl sasl pem

cd /etc/ssl/

mkdir website.com

cd website.com

mkdir cafile

mkdir csr

mkdir priv-key

mkdir pub-key

mkdir from-networksolutions
openssl req -nodes -newkey rsa:2048 -sha2 -keyout website.key -out website.csr

mv website.csr csr/

mv website.key priv-key

Select the text which you typed in when  creating the csr, and paste it into a txt doc “website-rqst.txt”  and then move the txt file to the directory csr.

Use the cat command to get the csr text, then select it and paste into the box on the registrar’s SSL request form.

You may need to register your company name with Dun and Bradstreet. (You will need this for the next step.) May take some time if you go the free route. (Up to 30 days)

Buy  your SSL cert. This process can take a week or so (They have to verify that you are who you say you are.) Make sure that you give your domain name WITHOUT the www.

As a part of purchasing the SSL cert, you send the CSR to the registrar. You get back a zip file. Save this file as /etc/ssl/website/

Unzip it.

Use your website where I put website.
A. website.crt   => pub-key
B. AddTrustExternalCARoot.crt.crt  => cafile
C. DV_NetworkDVSolutions_CA2.crt => cafile

D. dv_chain.txt=> cafile
E. DV_USERTrustRSACertificationAuthority.crt=> cafile

Update main.cf, add the following:

smtp_use_tls = yes
smtp_tls_security_level = may

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/website.com/pub-key/WEBSITE.COM.crt
smtpd_tls_key_file  = /etc/ssl/website.com/priv-key/website.com.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

 

restart postfix

make sure that firewall is allowing port 587.

 


Up in the country.