I spent way too much remembering how to do this several months ago, so when it once again took me an hour to figure it out last night I thought it best to document both for myself and for anyone googling their way here. I’m assuming you already have postfix installed and running, so I’ll skip to just the relevant bits.

Generating a self-signed certificate for postfix on CentOS 6.5

1) Get SSL

yum install openssl

2) Generate a certificate

First make sure /etc/ssl/private and /etc/ssl/certs exist and create them if not. The “-p” argument creates parent directories as needed and suppresses errors if the directories already exist.

mkdir -p /etc/ssl/private
mkdir -p /etc/ssl/certs

Then run the openssl command:

openssl req -new -x509 -key /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -days 1826

The -x509 flag specifies the certificate signing utility. This command will issue a 5-year certificate, which of course you can adjust to your preference. For a 10-year key just feed it 3652 days instead of 1826.

3) Do security

You don’t want anyone but root to be able to open your private key, so pull out the default o+r permission on the key file.

chmod o= /etc/ssl/private/ssl-cert-snakeoil.key

4) Restart postfix

Postfix looks for keys in /etc/ssl/ by default, so in most cases all that’s needed is a restart of postfix for SSL to begin working.

/etc/init.d/postfix restart

If not, try specifying the location of your keys manually. You can also use this if you prefer to maintain your keys elsewhere.

postconf -e smtpd_tls_cert_file=/etc/ssl/certs/snakeoil.pem
postconf -e smtpd_tls_key_file=/etc/ssl/private/snakeoil.key

Of course now that I’ve written it down I’ll instinctively remember how to do this for every future server, but hopefully this save someone an hour one of these days.