Postfix SSL Certificates on linux

SSL certificates have caught up with us. For our email TLS we used to use self-signed certificates, but that time finally ended when our IOS devices refused to let us authenticate to invalid, expired or self signed certificates.

I have set commercial web sites up with certificates purchased from Godaddy etc when working as a sysadmin. That was 10 years ago, and I’ve forgotten how to do it. This blog is as much of a reminder to myself as a published article .

Do I went to the wonderful letsencrypt people https://letsencrypt.org/

Following the instructions, from a bash shell I installed certbot and it seemed to do everything for me :

  1. created and downloaded a newly signed certificate and key from letsencrypt
  2. configured apache to use it
  3. our jsquared webpage was now secured but this did not help our email
  4. certbot will automatically update the certificate as it expires – I’ll find out if this works in the next few months
  5. It will analyse your apache config and optionally include sub domains as necessary. I needed to manually add the <mail> sub domain that I missed in my first attempt. It seems easy to append a new sub domain later

Configuring postfix to use the new certificates

The normal place to install the certificate is /etc/ssl/certs and for the private key is /etc/ssl/private. We had cert/keys called ssl-cert-snake-oil and I’m guessing that these were the self-signed ones.

certbot installs its keys in /etc/letsencrypt/live/jsquared.co.uk

Certificate: fullchain.pem

Key: privkey.pem

To enable the cert/key for postfix, add/change the following lines in /etc/postfix/main.cf

smtpd_tls_cert_file=/etc/letsencrypt/live/jsquared.co.uk/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/jsquared.co.uk/privkey.pem

There was a really useful site to test our settings : https://ssl-tools.net/

A new trike

I’ve always been fascinated seeing recumbent trikes on the roads around Cambridge and Newmarket. My health pushed be to try one.

I currently have an electric bike, a Gazelle Grenoble and it was great for when I lost my driving licence ( for medical reasons – other bits in this blog ). I could cycle from Newmarket to Oakington and bacon one charge.

I stopped using it when I got my driving license back after finding that riding the bicycle hurt my hands, wrists and shoulders, as well as other bits being rather saddle sore.

My old electric bike – a Gazelle Grenoble

With various health issues, I’ve found myself lying down a lot more and thought that a recumbent trike might get me back onto the road. The ICE trikes looked great, but the price was formidable. So, I sold some radios and found a second hand ICE adventure HD on facebook sales.

ICE adventure HD

I’ve ridden it three times now, just for a few km. I *think* its going to be good. My thoughts so far :

  1. The trike is wonderfully comfortable to sit in once the seat and pedals have been adjusted correctly
  2. I do feel a bit vulnerable, especially with all the huge 4WD vehicles around Newmarket
  3. My legs hurt when going up any sort of incline. Apparently the muscles will adapt to this new cycling position. Changing gear down (up) when my legs ache and then learning to take it easy. There is no problem with stability on a trike when going slow so minimum speed is not an issue
  4. I am now planning which cycle computer, lights and radios are going to be fitted, and where. I want to link to Strava, but also see heart rate and as many other bio measurements as possible. I’ll always have my mobile phone with me, but that will be safely in a waterproof bag, and I really want to see a live display of speed/cadence. Perhaps a pi zero with BLE or ANT+ interface
  5. Radios. One thing I really like about the trike is that you bring your chair with you. The flag would make a potential 2m/70cm sleeve dipole. I like the idea of cycling to a local hilltop and chatting to people whilst drinking tea..