After rebuilding Bud due to successful attacks, a number of suggestions were made, and some of them implemented to improve security:

• Require complex passwords
• Require PKA for all admin users

• Created a wheel group to restrict su access

groupadd –system wheel

• Removed sudo entirely

• countryName_default = US
• localityName_default = St. Louis

from the Omnitec Wiki:

Postfix and Apache both use the SSL certificates in /etc/ssl/ for secure communications and TLS authenication.

The guide for creating the keys is at openssl.htm (http://www.nomoa.com/bsd/openssl.htm)

I copied /etc/ssl/openssl.cnf to /etc/ssl/openssl.cnf.original and changed/added the defaults to be specific to SLUUG.

The commands, in order, to produce the certificate is :

Generate the private "sluug" server key with sluug passphrase.

sudo `which openssl` genrsa -des3 -out /etc/ssl/private/server.key 1024

Generate the certificate request with defaults in a modified openssl.cnf. For the "Common Name" enter the servers fqdn ie mx1.omnitec.net

sudo `which openssl` req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr -config ./openssl.cnf

Self sign the certificate request to produce the servers certificate.

sudo `which openssl` x509 -req -days 3650   -in /etc/ssl/private/server.csr   -signkey /etc/ssl/private/server.key   -out /etc/ssl/server.crt

Next copy the key and cert created to /etc/ssl/private/postfix.key and /etc/ssl/postfix.crt and change group so postfix can read it.

cp /etc/ssl/private/server.key /etc/ssl/private/postfix.key
cp /etc/ssl/postfix.crt /etc/ssl/postfix.crt
chown :postfix /etc/ssl/private/postfix.key
chown :postfix /etc/ssl/postfix.crt