So, let’s spend a minute enabling TLS in OpenSMTPd on OpenBSD. We’ll have to generate certificates and then tell smtpd.conf about that certificate.
Bonus:
Turn on Encrypted Queues at the end of this document.
You’re here instead of reading the man pages. Cool...find specific info quickly, I get it, but check them out sometime.
Let’s get started by creating a keypair in the default directory.
export CERTFILENAME=alix2d13
mkdir -p /etc/mail/certs
# cron this up
openssl dsaparam 1024 -out dh1024.pem
openssl dsaparam 2048 -out dh2048.pem
# make a ten year certificate
openssl genrsa -out /etc/mail/certs/${CERTFILENAME}.key 4096
openssl req -sha512 -new -x509 -key /etc/mail/certs/${CERTFILENAME}.key \
-out /etc/mail/certs/${CERTFILENAME}.crt -days 3658
# i had to remove this and use automatic DH
ln dh2048.pem ${CERTFILENAME}.dh
pki alix2d13 certificate "/etc/mail/certs/alix2d13.crt" key "/etc/mail/certs/alix2d13.key"
listen on lo0 tls certificate "alix2d13"
If your mailserver is already configured for STARTTLS, it should pick up the changes:
/etc/rc.d/smtpd restart # or, smtpd -dv
openssl s_client -connect localhost:25 -starttls smtp
Just because it exists, you can turn on queue encryption quickly.
cryptokey=`openssl rand -hex 16`
echo "queue encryption key ${cryptokey}" >> /etc/mail/smtpd.conf