download CA Bundle file from VietNamHost and rename it to ca-bundle.crt:
cat ca-bundle.crt > /etc/ssl/certs/ca-bundle.crt
chmod 644 /etc/ssl/certs/ca-bundle.crt
cat /etc/ssl/certs/mail_certificate.pem > /etc/ssl/certs/postfix.pem
cat /etc/ssl/private/mail_privatekey.pem > /etc/ssl/private/postfix.pem
chown root:ssl-cert /etc/ssl/private/postfix.pem
chmod 644 /etc/ssl/private/postfix.pem
chown root:root /etc/ssl/certs/postfix.pem
chmod 444 /etc/ssl/certs/postfix.pem/usr/local/ssl/certificate/certificate.crt
The TLS portion of the Postfix config should look something like this.
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/ssl/certs/postfix.pem
smtp_tls_key_file = /etc/ssl/private/postfix.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom
Now lets test smtp for TLS using telnet:
telnet mail.example.org 25
You should get a banner similar to this.
Trying 127.0.0.1...
Connected to mail.example.org.
Escape character is '^]'.
220 mail.example.com NO UCE ESMTP
Issue a EHLO command
EHLO test.com
You should not see something like this. Check you can see 250-STARTTLS.
250-mail.example.org
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSNIssue the STARTTLS command
STARTTLS
If you see the following, you are all set.
220 2.0.0 Ready to start TLS
