- Fri 05 March 2004
- macintosh
- Gaige B. Paulsen
This is a pretty technical article for those who are interested in putting SSL facilities on a Panther Server.
So, you have obtained a certificate for your XServe or other OS X server and you want to use that certificate for the built-in email services. Unfortunately, if this is documented somewhere in the OS X Panther Server documentation, I can't find it. So, I played around and figured it out.
For the sake of this discussion, the name of the key and certificate files
will be my.key and my.cert.
Postfix (SMTP services)
Postfix configuration files are stored in /etc/postfix. In here, we will be
editing the main.cf file. In this file, look for a line beginning with
smtpd_tls_cert_file and define the variable to be /etc/postfix/my.cert.
Then, do the same thing with smtpd_tls_key_file, setting it to
/etc/postfix/my.key. If either of these lines does not exist, just create
them with the appropriate value, separated by an equal sign (=).
Now, copy the key and cert files to the /etc/postfix directory. Don't forget
to go to the Server Manager and turn on SSL.
At this point, your next SMTP connection will be able to set up SSL, so you're in good shape!
Cyrus (IMAP and POP services)
Now that you can send email securely, how about receiving it? Well, Cyrus is the mail server for receiving mail and so we need to change it's configuration to refer to the certificate and key files. For some reason, it appears that Cyrus really wants to have the certificate for the CA, so it would be helpful to grab the certificate from your certificate provider.
Cyrus's IMAP configuration is in /etc/imapd.conf. This file contains a
variety of lines with variable names on the left and values on the right
separated by colons (:).
Once in this file, set the following variable with the following
| values:Variable | Value |
|---|---|
| tls_cert_file | /var/imap/my.cert |
| tls_key_file | /var/imap/my.key |
| tls_ca_file | /var/imap/my.ca |
Save it and turn on the option in Server Manager and you should be ready to go! Now, check your settings on your client and turn on SSL (pointed at port 993 if you like).