Configuring Postfix on SLES 10 to Use GoDaddy Certificates

This document (7002392) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Server 10


To secure (encrypt) communication between a Postfix SMTP server and another SMTP server or client, certificates must be  configured.  The resolution listed below describes how to setup GoDaddy certificates with Postfix.  The process is likely similar with certificates provided by other certificate authorities, but can have subtle differences.


To begin the process of obtaining a GoDaddy certificate, a certificate signing request (csr) must be created along with a private key file.  This can be done using OpenSSL on the SuSE Linux Enterprise Server.  The private key file must be created first.  First, go to a terminal prompt and become the root user.  In the example below, the command is first given to become the superuser and then the commands are given to create a new directory where all files generated are kept.  A command is given to change to the new directory.  Lastly, a private key file by the name of 'hostname.key' is created.

NOTE:  It is important that the key file not be lost.  Please make backups of this file once obtained.

su -
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl
openssl genrsa -out hostname.key 1024

The 'hostname.key' file is then used by OpenSSL to generate the csr that will need to be presented to GoDaddy.  To generate a csr file with the name 'hostname.csr' issue the following command.

openssl req -new -nodes -key hostname.key -out hostname.csr

Upon issuing the command to create the csr file, a number of questions pertinent to the creation of the file will be asked.  An example is listed below.

NOTE:  When prompted for the "Common Name", the expected response is the fully qualified hostname of the server where the certificate will be implemented.  For the purposes of this document, this is the server where Postfix is installed.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:UT
Locality Name (eg, city) []:Provo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Widgits Inc
Organizational Unit Name (eg, section) []:Customer Services
Common Name (eg, YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

At this point, the csr is ready to be submitted to GoDaddy for the process of minting the certificate.  It is important to note that when going through the process of submitting the csr to GoDaddy, the person going through the submission process will be asked to designate which type of application the certificate is intended for.  Possible answers include Tomcat, Apache, IIS and others.  Success has been seen when choosing Apache as the application the certificate is intended for.

After the csr has been submitted and the certificate has been approved, a zip file containing two files will be emailed to the submitter.  The filenames will be <Common Name entered in CSR process>.crt and gd_bundle.csr.  Place these two files in the /etc/postfix/ssl directory.

The private key file 'hostname.key' and the two files received from GoDaddy should now be concatenated into a single file. The file created in the example below is 'hostname.pem'.  Also, the filename '' used in the example will not match the filename of your certificate.  Please insert the correct filename.

cat hostname.key gd_bundle.crt >> hostname.pem

The /etc/postfix/ssl directory should now contain 5 files.  In the example described thus far, the five files are:


Finally, the process of modifying Postfix can begin.  The two files needed to be modified for our example are '/etc/postfix/' and '/etc/postfix/'.  It would be best to first make a backup of the original files.

cp /etc/postfix/ /etc/postfix/
cp /etc/postfix/ /etc/postfix/

The following lines need to be added or modified in the file within a text editor.  Note that the first two lines point to files created during the process previously listed.

smtpd_tls_key_file = /etc/postfix/ssl/hostname.key
smtpd_tls_cert_file = /etc/postfix/ssl/hostname.pem
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_randome_source = dev:/dev/urandom

The only change to the file is to remove the remark from the beginning of the following line:

#tlsmgr    unix  -       -       n       1000?   1       tlsmgr

It should then look like this:

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

At this point, Postfix needs to be restarted.

rcpostfix restart

Now is the time to perform a quick test to see if Postfix will allow a TLS connection.  From the terminal prompt, do the following:

telnet localhost 25
<a banner will appear>
ehlo localhost
<a number of allowed services will appear which should include STARTTLS>
<no error should be returned>

If an error is returned, search first in the file '/var/log/mail.warn' .  This file will include any errors when attempting to read the certificate entries when Postfix is started.  It is common to have typographical errors cause issues.  Please make sure there are no spelling errors and that all entries and filenames are case sensitive.

The Postfix system should now be ready to communicate securely.


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7002392
  • Creation Date: 16-Jan-2009
  • Modified Date:25-Feb-2021
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center