SSL for Panther Server mail


This is a pretty technical article for those who are interested in putting SSL facilities on a Panther Server.

So, you have obtained a certificate for your XServe or other OS X server and you want to use that certificate for the built-in email services. Unfortunately, if this is documented somewhere in the OS X Panther Server documentation, I can't find it. So, I played around and figured it out.

For the sake of this discussion, the name of the key and certificate files will be my.key and my.cert.

Postfix (SMTP services)

Postfix configuration files are stored in /etc/postfix. In here, we will be editing the main.cf file. In this file, look for a line beginning with smtpd_tls_cert_file and define the variable to be /etc/postfix/my.cert. Then, do the same thing with smtpd_tls_key_file, setting it to /etc/postfix/my.key. If either of these lines does not exist, just create them with the appropriate value, separated by an equal sign (=).

Now, copy the key and cert files to the /etc/postfix directory. Don't forget to go to the Server Manager and turn on SSL.

At this point, your next SMTP connection will be able to set up SSL, so you're in good shape!

Cyrus (IMAP and POP services)

Now that you can send email securely, how about receiving it? Well, Cyrus is the mail server for receiving mail and so we need to change it's configuration to refer to the certificate and key files. For some reason, it appears that Cyrus really wants to have the certificate for the CA, so it would be helpful to grab the certificate from your certificate provider.

Cyrus's IMAP configuration is in /etc/imapd.conf. This file contains a variety of lines with variable names on the left and values on the right separated by colons (:).

Once in this file, set the following variable with the following values:Variable| Value
---|---
tls_cert_file| /var/imap/my.cert
tls_key_file| /var/imap/my.key
tls_ca_file| /var/imap/my.ca

Save it and turn on the option in Server Manager and you should be ready to go! Now, check your settings on your client and turn on SSL (pointed at port 993 if you like).