Installing StartSSL Certificates - Postfix / Dovecot / Nginx

In the previous topic I told about the service where you can get ssl-certificates for free. And in continuation, I decided to describe how to install them on this or that software.
I will review the following software:

• Postfix
• Dovecot
• Nginx

All of the above is set to CentOS 5.5.

Postfix

With postfix, I suffered the most. It would seem that there is documentation, a bunch of examples, etc., it should be all simple, but no, having tried a bunch of options at the same time re-reading the documentation, I killed quite a bit of time until everything began to work.

Training

It is understood that you already have a private key and certificate for the domain.
mail.example.com.key
mail.example.com.crt
You also need to download the file with the certificate of the intermediate CA of the required class.
They can be found here.
For free certificates, this is sub.class1.server.ca.pem
In this example, I use a private key without passphrase.
And so we have 3 files.
mail.example.com.key
mail.example.com.crt
sub.class1.server.ca.pem
Create a file that eats postfix
cat mail.example.com.key mail.example.com.crt sub.class1.server.ca.pem > mail.example.com.pem
we copy the received file where it is necessary, I put the in / etc / pki / postfix /
Of course, we don’t score owner and rights, as our key is in the file.

in /etc/postfix/main.cf add:
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/pki/postfix/mail.example.com.pem #
smtpd_tls_key_file = /etc/pki/postfix/mail.example.com.pem #
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes

smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_security_level = may

smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom

What each parameter means and what it is responsible for can be found in the Postifx documentation.
to verify that everything is okay, you can use the following command:
openssl s_client -starttls smtp -showcerts -connect localhost:25
As a result, something like this should return:
SSL handshake has read 4760 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 418AA0ED7BA85B2B9301FA127D05DCAFABCEDC192101A6E75DD872FA3E528366
Session-ID-ctx:
Master-Key: 498FB41D5810A9768710936351DC92169B6D7DEFAHTEDBDUO60DE9349DA7EB5536F975A8BC4AF190466B637CC129A93E
Key-Arg : None
Krb5 Principal: None
Start Time: 1287331961
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 DSN

in /etc/postfix/master.cf we uncomment the following lines:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

On this postfix everything.
')

Dovecot

With dovekotom everything turned out to be much easier and everything worked for me the first time.

Training

You already have 3 files
mail.example.com.key
mail.example.com.crt
sub.class1.server.ca.pem
Copy the key, create a certificate that eats dovecot
cp mail.example.com.key /etc/pki/dovecot/private/
cat mail.example.com.crt sub.class1.server.ca.pem > /etc/pki/dovecot/certs/mail.example.com.pem

In dovecot.conf you need to register:
ssl_cert_file = /etc/pki/dovecot/certs/mail.example.com.pem
ssl_key_file = /etc/pki/dovecot/private/mail.example.com.key
and of course enable SSL
ssl_listen = *
ssl = yes
And add to the list of protocols necessary for you personally.
protocols = pop3 pop3s imap imaps
UPD: if you need to provide IMAP and POP on different subdomains such as imap.example.com and pop.example.com, then you need to prepare certificates for each subdomain as described above
and make the following changes to dovecot.conf
protocol imap {
listen = 192.0.2.1:143
ssl_listen = 192.0.2.1:993
ssl_cert_file = /etc/pki/dovecot/certs/imap.example.com.pem
ssl_key_file = /etc/pki/dovecot/private/imap.example.com.key
}
protocol pop3 {
listen = 192.0.2.1:110
ssl_listen = 192.0.2.1:995
ssl_cert_file = /etc/pki/dovecot/certs/pop.example.com.pem
ssl_key_file = /etc/pki/dovecot/private/pop.example.com.key
}

Thank you Andrey_Zentavr for this addition to the article.

Nginx

With him, too, everything is very simple and, in general, the procedure is not different from the dovecot

Podgotovka

You already have 3 files
mail.example.com.key
mail.example.com.crt
sub.class1.server.ca.pem
Copy the key, create a certificate that eats nginx
cp mail.example.com.key /etc/pki/nginx/private/
cat mail.example.com.crt sub.class1.server.ca.pem > /etc/pki/nginx/certs/mail.example.com.pem

in the configuration for the nginx host there must be something like this:
server {
listen 443;
server_name mail.example.com;
ssl on;
ssl_certificate /etc/pki/nginx/certs/mail.example.com.pem;
ssl_certificate_key /etc/pki/nginx/private/mail.example.com.key;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

location / {
root /srv/www/htdocs/;
index index.html index.htm;
}
}


That's all, I hope someone this topic will be useful.

UPD2: Thank you rojer for the valuable fix.