Qmail SSL Installation

Security Certificate
To configure a SSL certificate for TLS and/or SSL over SMTP (using xxx.com):

1) Create a private key using the triple des encryption standard (recommended or according to CA site):

openssl genrsa -des3 -out servercert.key.enc 2048

2) Remove the pass phrase from the private key:

openssl rsa -in servercert.key.enc -out servercert.key

3) Generate Certificate Request

openssl req -new -key servercert.key -out servercert.csr

4) Go to DiscountWebCerts and submit servercert.csr for a trusted certificate ($19.95). You will then receive a servercert.crt. Now just do the following.

5) Create standard .pem in /var/qmail/control/servercert.pem

cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.orig
cat servercert.key servercert.crt > /var/qmail/control/servercert.pem

6) Restart Qmail

7) By default, As SSL over SMTP on port 465 is depreciated, there is nothing listening on port 465 with the basic Qmail-Toaster. Therefore make the stunnel:

cp -p /var/qmail/control/servercert.pem /etc/stunnel/mail.pem
chmod 600 /etc/stunnel/mail.pem
chown root:qmail /etc/stunnel/mail.pem

mkdir /var/run/stunnel
chown nobody.nobody /var/run/stunnel/

vi /etc/stunnel/stunnel.conf
cert = /etc/stunnel/mail.pem
chroot = /var/run/stunnel/
pid = /stunnel.pid
setuid = nobody
setgid = nobody

[ssmtp]
accept = 465
connect = 25

/usr/sbin/stunnel > /dev/null &

vi /etc/rc.local
/usr/sbin/stunnel &> /dev/null

8) Test in server first:

openssl s_client -host mail.xxx.com -port 465
openssl s_client -host mail.xxx.com -port 995
openssl s_client -host mail.xxx.com -port 993

9) Test in client outlook with smtp-ssl 465 pop3-ssl 995 imap-ssl 993