Blue Flower

Monday, 06 July 2015 01:20

Converting your apache certificate to qmail

Written by
Rate this item
(0 votes)

This is a document to help you convert your apache certs to qmail. This step is completely optional BUT I want to note that the common name you used needs to match the server name in order for your clients not to get the nag screen when they check their POP3 account or send emails via SSL or TLS.

You will need to do one of the following; You will either need to purchase a certificate from a signing authority or re-key a current certificate if you're moving servers. In order to convert your apache cert, it is important to create the cert correctly. Here is how to do it:

First, We create the key:


# mkdir /root/certs
# cd /root/certs
# openssl genrsa -out domain.key 2048

You can substitute 2048 with 4096 for stronger encryption and make sure you replace domain with your actual domain name.

Next, We need to add a password. Go ahead and type it and confirm.

Now create a csr:


# openssl req -new -key domain.key -out domain.csr

It is important to note here to type in all information for your company. When it asks for Common Name (eg, YOUR name) []: it is VERY IMPORTANT this field matches what your users are going to use for their mail server name. If you are buying a cert for multiple domains, this will be the domain users use the most. When viewing a cert for multiple domains, the common will appear first and the others will show on the cert.

This is the csr you can you to generate your cert when asked by the domain you buy your cert from. You can use this information to purchase your certificate.

First lets backup the current /var/qmail/control folder first:


# mkdir /var/qmail/backup_control
# cp -Rp /var/qmail/control/* /var/qmail/backup_control

Please copy the .crt you received to the root folder. Then run the following to make a signed cert:


# cd /root/certs
# cat domain.key > /var/qmail/control/servercert.pem
# cat cert.crt >> /var/qmail/control/servercert.pem
# cat intermediate.crt >> /var/qmail/control/servercert.pem

And now lets set the permissions on the servercert.pem:


# chown root:qnofiles /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem

Now lets create the clientcert.pem file and the permissions:


# cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
# chown root:qmail /var/qmail/control/clientcert.pem
# chmod 640 /var/qmail/control/clientcert.pem

Now to restart qmail so this will take effect on all services


# qmailctl restart

That will restart ALL the qmail services so the new certificate will take effect.

Now your customers will not get the annoying nag screen when people send mail via smtp-ssl, smtp-tls or via imap!

Read 1852 times Last modified on Thursday, 29 September 2016 02:40

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.