===== OpenSSL, TLS, Postfix, Apache Etc  =====

A friend of mine asked me to show him how to use encryption for his mail and webserver, so I wrote this page
for him, maybe you find some info useful too 

Install OpenSLL 

then enter
  openssl req -out certificate.csr -newkey rsa:4096 -nodes -keyout certprivate.key
  
this will create a private key and a certificate request, that you can use to buy SSL certificates.

if you buy a ssl key you will need send the SSL provider your csr file and get some files back from them.
My SLL provider send  me linux_cert+ca.pem, linux_cert+ca.pem, and certificate_company.txt
An intermediate certificate authority (CA) is an entity that can sign certificates on behalf of the root CA. The root CA signs the intermediate certificate, forming a chain of trust.

Here is a link how to convert the different certificate formats.
https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/

To use SLL/TSL  in 
 ==== Postfix ====
 
Add in /etc/postfix/main.cf 
  # TLS parameters
  smtpd_tls_cert_file=/etc/ssl/private/linux_cert+ca.pem
  smtpd_tls_key_file=/etc/ssl/private/certprivate.key
  smtpd_use_tls=yes
  smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
  smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
  smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
  smtpd_tls_loglevel = 1
  smtpd_tls_received_header = yes

and in /etc/postfix/tls_policy
  domain.xx           encrypt
  .domain.xx          encrypt
  

==== Apache2====

If you do not want to waste your money I recommend to use cert-bot  https://certbot.eff.org/#debianstretch-apache,
you will get free three month certificates and it is very easy to renew them.