So, again, I'm pretty much creating this blog post so in a year from now, when I need to renew, I'll have a procedure on how to do it. For the longest time I've been using self-signed certs for mail, but needed to finally get a trusted cert (GeoTrust cert) in the picture. I went with GeoCerts to purchase the cert (Quick SSL Basic). So the first step is to create a key and CSR.
openssl genrsa -out mail.comp.com.key 2048
openssl req -new -key mail.comp.com.key -out mail.comp.com.csr
During the cert sign up it'll ask to paste the CSR. After verification, it will mail to the domain approver and you'll receive a cert bundle. This bundle is a collection of server cert, intermediate cert and trusted root cert. We will need to chain the cert (basically munge them together into a single .pem file).
Add the following certs in order within the file
(Your Web server Certificate)
(GeoTrust root certificate)
Now you need to create a .p12 file then return it back to a .pem file.
openssl pkcs12 -export -in mail.comp.com.pem -inkey mail.comp.com.key -out All-certs.p12 -clcerts
openssl pkcs12 -in All-certs.p12 -out mail.comp.com.final.pem
I created both of these with blank passwords. Not sure if that's bad.. but that's what I did. Now this will create a mail.comp.com.final.pem which is our cert. We need to hook that into /etc/postfix/main.cfI added the following to main.cf
smtpd_tls_key_file = /etc/postfix/ssl/mail.comp.com.key
smtpd_tls_cert_file = /etc/postfix/ssl/mail.comp.com.final.pem
Okay.. so that takes care of SMTP.. but not POP. To manage the pop it's a little bit more involved. We need to create a cert file with key/cert together and using the base DH info in there. I borrowed from the existing pop3d.pem for the layout.
I created a new pop3d.pem file and added /etc/postfix/ssl/mail.comp.com. In this file I added the /etc/postfix/ssl/mail.comp.com.key content, then immediately after that I added the first cert in /etc/postfix/ssl/mail.comp.com.final.pem. This is the server cert (so we don't need to include the CA info). I mentioned there is a DH PARAMETERS. I left that from the original pop3d.pem. I updated /etc/courier-imap/pop3d-ssl configuration to look at the proper pem file and restarted courier-authlib