Wednesday, June 23, 2010

Startssl certificate (free) + exim + courier (Debian/Lenny)

So, my godaddy SSL cert finally expired. I wanted a new cert, but I weren't up to paying $29/year/domain for something I only have a few users on, but I still wanted a verified CA (no more adding exceptions). Looking around I found the great startssl.com, a CA that exists in most of todays browsers and email clients, and the best of all, their certs are free for non-business users!

The host I run is a Debian Lenny machine with exim4 and courier as MTA/IMAP server. So, here we go:

1) Sign up for a cert at StartSSL, follow the instructions (you will eventually end up with a client cert you need to install in your browser
2) Login, verify your email / domain, go into the certificate wizard and create a "Web Server SSL/TLS Certificate"
3) Create a new private key (2048 keylength is default, stick with it). Remember the password, you will need it later.
4) Save the cert as server.crypted.key. Create a keyless version with
openssl rsa -in server.crypted.key -out server.key
, or just use the toolbox and paste the cert and your key.
5) Select one of the validated domains to create a server cert, enter a subdomain such as mail.domain.com, or whatever. My cert was for the domain.com level, and that name wll also be included in the mail.domain.com cert.
6) The cert is eventuall created, so save it as server.crt
7) Go to the toolbox and download the Server Certificate Bundle with CRLs (PEM encoded) as ca-bundle.pem.
8) Copy ca-bundle.pem to /etc/ssl/certs

I have saved my files to /etc/ssl/startssl/. With this as the base, the real work begins:
Create a dhparam file
1) openssl dhparam -out dhparam.pem 1024
2) openssl gendh >> dhparam.pem

For Exim4:
1) Edit /etc/exim4/exim4.conf. Add/edit this fields:

tls_advertise_hosts = *
tls_certificate = /etc/ssl/startssl/server.crt
tls_verify_certificates = /etc/ssl/certs/ca-bundle.pem
tls_privatekey = /etc/ssl/startssl/0x2a.key
tls_dhparam = /etc/ssl/startssl/dhparam.pem
tls_on_connect_ports = 465
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
daemon_smtp_ports = 25 : 465 : 587 : 10025

2) Your done! Restart exim4 and be a happy camper

For Courier
1) cat server.key server.crt > server.pem
2) cat server.pem dhparam.pem > /etc/courier/imapd.pem
2) Edit /etc/courier/imapd-ssl, Add/edit the following:

TLS_CERTFILE=/etc/courier/imapd.pem
TLS_TRUSTCERTS=/etc/ssl/certs

3) Restart courier-ssl

That's how I got it to work. Good luck!

3 comments:

  1. The customer service is also impeccable, the guy who answered the phone (on the first ring) was also one of the owners. He was willing to go out of his way to make me feel welcome.
    Courier service Ft Worth

    ReplyDelete
  2. I highly recommend this courier service to anyone looking for a delivery service. Try them and you won't be disappointed and you will switch permanently to them. A very satisfied customer!
    courier service Gold Coast

    ReplyDelete