TLS
Create SSL Certificates
Create a your server's original SSL Certificate. If you use your server as a business, it had better buy and use a Formal Certificate from Verisigh and so on.
[root@www ~]# cd /etc/pki/tls/certs
[root@www certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
......................................................++++++
.............++++++
e is 61251 (0x10001)
Enter pass phrase:# set passphrase
Verifying - Enter pass phrase:# confirm
# remove passphrase from private key
[root@www certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:# input passphrase
writing RSA key
[root@www certs]#
[root@www certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP# country
State or Province Name (full name) [e]:Hiroshima # state
Locality Name (eg, city) [Default City]:Hiroshima# city
Organization Name (eg, company) [Default Company Ltd]:GTS # company
Organizational Unit Name (eg, section) []:Server World # department
Common Name (eg, your server's hostname) []:www.server.world # server's FQDN
Email Address []:xxx@server.world# email address
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:# Enter
An optional company name []:# Enter
[root@www certs]#
[root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.server.world/emailAddress=xxx@server.world Getting Private key
[root@www certs]# chmod 400 server.*
Configure Postfix and Dovecot for SSL.
[root@mail ~]# vi /etc/postfix/main.cf
# add follows to the end
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
[root@mail ~]# vi /etc/postfix/master.cf
# line 17-18: uncomment
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf
# line 6: uncomment
ssl = yes
# line 12,13: specify certificates
ssl_cert = </etc/pki/tls/certs/server.crt
ssl_key = </etc/pki/tls/certs/server.key
[root@mail ~]# /etc/rc.d/init.d/postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@mail ~]# /etc/rc.d/init.d/dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
[3]
For Email Client's settings, (Windows Live Mail)
Open the property of an account and change settings like following example. (if you use PO3S, input '995 for incoming mail)
http://www.server-world.info/en/note?os=CentOS_6&p=mail&f=4
---
yum install crypto-utils genkey --days 365 mail.example.com
The certificate key pair are created in the following locations:
/etc/pki/tls/certs/mail.example.com.cert # public cert /etc/pki/tls/private/mail.example.com.key # private key
You can leave the certificates in their current location or copy/move them elsewhere. The private key must be owned and read/writable (0600) only by root.
. Configuring SSL/TLS in postfix
Now we have generated our certificates, we can configure postfix to use them to encrypt SASL authentication sessions. We need to add the following to /etc/postfix/main.cf:
smtpd_tls_security_level = may smtpd_tls_key_file = /etc/pki/tls/private/mail.example.com.key smtpd_tls_cert_file = /etc/pki/tls/certs/mail.example.com.cert # smtpd_tls_CAfile = /etc/pki/tls/root.crt smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache tls_random_source = dev:/dev/urandom tls_random_exchange_name = /var/lib/postfix/prng_exch smtpd_tls_auth_only = yes
OR
#vi /etc/postfix/main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_local_domain = mail.worldcm.com
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/pki/tls/private/mail.worldcm.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.world.com.crt
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
--------------------------------------------------x----------------------------------------------------
'smtpd_tls_security_level = may' replaces the old 'smtpd_use_tls = yes' in postfix 2.3 and enables the use of tls. We have commented out smtpd_tls_CAfile but would use this setting to specify the certificate of any issuing root authority when using signed certificates. 'smtpd_tls_loglevel = 1' will log tls sessions to the postfix mail log (setting to level 0 turns off TLS logging and level 2 may be useful for debugging purposes). The smtpd_tls_session_cache settings cache TLS session keys for 1 hour between sessions and is recommended due to the relatively high cost of repeatedly negotiating TLS session keys for each connection.
The final setting, smtpd_tls_auth_only = yes, forces the use of TLS for SASL authentication and will not allow plain text authentication to occur unless a SSL/TLS session has been established. (It may be useful to commented out 'smtpd_tls_auth_only = yes' during testing so we can test that SSL/TLS is working but still fall back to plain text SASL authentication if SSL/TLS fails).
Don't forget to reload postfix configuration settings:
postfix reload
Now we can telnet into the server and check postfix is offering TLS:
$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.example.com ESMTP Postfix EHLO example.com 250-mail.example.com 250-PIPELINING 250-SIZE 20480000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
Configuring SSL/TLS in dovecot
SSL/TLS support is enabled in dovecot by default out of the box. The dovecot package even ships with it's own SSL certificates which we renamed and replaced with our own earlier in this guide. The settings of interest are all contained in /etc/dovecot.conf:
protocols = imap imaps pop3 pop3s #disable_plaintext_auth = no #ssl_disable = no ssl_cert_file = /etc/pki/tls/certs/mail.example.com.cert ssl_key_file = /etc/pki/tls/private/mail.example.com.key ssl_cipher_list = ALL:!LOW:!SSLv2
OR
Dovecot
ssl = yes
ssl_cert = </etc/pki/tls/certs/mail.worldcm.com.crt
ssl_key = </etc/pki/tls/private/mail.worldcm.com.key
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
service dovecot reload
Restart the dovecot service after making any changes:
service dovecot restart
Master.cf
##SMTPD TLS##
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
----------------------------------------------------------------------------------------------------------------------------------
master.cf
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes
----