email server – Port 587
These instructions work so that you can support multiple websites (virtual hosting) and you can use the same cert for your primary website and your email. (only one email domain name can be signed with a cert). If you have already have your ssl and put all the pieces where they belong, skip down to the lines where you update main.cf.
On the webserver:
dnf -y install mod_ssl openssl sasl pem
openssl req -nodes -newkey rsa:2048 -sha2 -keyout website.key -out website.csr
mv website.csr csr/
mv website.key priv-key
Select the text which you typed in when creating the csr, and paste it into a txt doc “website-rqst.txt” and then move the txt file to the directory csr.
Use the cat command to get the csr text, then select it and paste into the box on the registrar’s SSL request form.
You may need to register your company name with Dun and Bradstreet. (You will need this for the next step.) May take some time if you go the free route. (Up to 30 days)
Buy your SSL cert. This process can take a week or so (They have to verify that you are who you say you are.) Make sure that you give your domain name WITHOUT the www.
As a part of purchasing the SSL cert, you send the CSR to the registrar. You get back a zip file. Save this file as /etc/ssl/website/
Use your website where I put website.
A. website.crt => pub-key
B. AddTrustExternalCARoot.crt.crt => cafile
C. DV_NetworkDVSolutions_CA2.crt => cafile
D. dv_chain.txt=> cafile
E. DV_USERTrustRSACertificationAuthority.crt=> cafile
Update main.cf, add the following:
smtp_use_tls = yes
smtp_tls_security_level = may
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/website.com/pub-key/WEBSITE.COM.crt
smtpd_tls_key_file = /etc/ssl/website.com/priv-key/website.com.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
make sure that firewall is allowing port 587.