Following describes how to get
StartSSL certificates working with lighttpd. First of all read
how to get free ssl certificate from StartSSL and actually create certificates.
wget http://www.startssl.com/certs/ca-bundle.crt -O ca-bundle.crt
cat ca-bundle.crt > /etc/ssl/certs/ca-bundle.crt
chmod 644 /etc/ssl/certs/ca-bundle.crt
cat /etc/ssl/certs/mail_certificate.pem > /etc/ssl/certs/postfix.pem
cat /etc/ssl/private/mail_privatekey.pem > /etc/ssl/private/postfix.pem
chown root:ssl-cert /etc/ssl/private/postfix.pem
chmod 644 /etc/ssl/private/postfix.pem
chown root:root /etc/ssl/certs/postfix.pem
chmod 444 /etc/ssl/certs/postfix.pem
The TLS portion of the Postfix config should look something like this.
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/ssl/certs/postfix.pem
smtp_tls_key_file = /etc/ssl/private/postfix.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom
Test smtp for TLS
telnet mail.example.org 25
You should get a banner similar to this.
Trying 127.0.0.1...
Connected to mail.example.org.
Escape character is '^]'.
220 mail.flexion.org NO UCE ESMTP
Issue a EHLO command
EHLO test.com
You should not see something like this. Check you can see 250-STARTTLS.
250-mail.example.org
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Issue the STARTTLS command
STARTTLS
If you see the following, you are all set.
220 2.0.0 Ready to start TLS