Adding trusted cert to Postfix and Courier-Imap

So, again, I'm pretty much creating this blog post so in a year from now, when I need to renew, I'll have a procedure on how to do it. For the longest time I've been using self-signed certs for mail, but needed to finally get a trusted cert (GeoTrust cert) in the picture. I went with GeoCerts to purchase the cert (Quick SSL Basic). So the first step is to create a key and CSR.

cd /etc/postfix/ssl
openssl genrsa -out 2048
openssl req -new -key -out

During the cert sign up it'll ask to paste the CSR. After verification, it will mail to the domain approver and you'll receive a cert bundle. This bundle is a collection of server cert, intermediate cert and trusted root cert. We will need to chain the cert (basically munge them together into a single .pem file).


Add the following certs in order within the file

(Your Web server Certificate)
(Intermediate certificate)
(GeoTrust root certificate)

Now you need to create a .p12 file then return it back to a .pem file.

openssl pkcs12 -export -in -inkey -out All-certs.p12 -clcerts
openssl pkcs12 -in All-certs.p12 -out

I created both of these with blank passwords. Not sure if that's bad.. but that's what I did. Now this will create a which is our cert. We need to hook that into /etc/postfix/

I added the following to

smtpd_tls_key_file = /etc/postfix/ssl/
smtpd_tls_cert_file = /etc/postfix/ssl/

This option is no longer needed if it's a trusted cert

smtpd_tls_CAfile =

Okay.. so that takes care of SMTP.. but not POP. To manage the pop it's a little bit more involved. We need to create a cert file with key/cert together and using the base DH info in there. I borrowed from the existing pop3d.pem for the layout.

I created a new pop3d.pem file and added /etc/postfix/ssl/ In this file I added the /etc/postfix/ssl/ content, then immediately after that I added the first cert in /etc/postfix/ssl/ This is the server cert (so we don't need to include the CA info). I mentioned there is a DH PARAMETERS. I left that from the original pop3d.pem. I updated /etc/courier-imap/pop3d-ssl configuration to look at the proper pem file and restarted courier-authlib