SSL
=-----------
sudo dnf install mod_ssl openssl* cyrus*
# dnf -y install openssl cyrus*
[root@dlp ~]# cd /etc/pki/tls/certs
[root@dlp certs]# openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus .+++ ...................................................................................+++ e is 65537 (0x010001) Enter pass phrase: # set passphrase Verifying - Enter pass phrase: # confirm
# remove passphrase from private key
[root@dlp certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: # input passphrase writing RSA key
[root@dlp certs]# openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: BD # country code State or Province Name (full name) []: Dhaka # state Locality Name (eg, city) [Default City]: Dhaka # city Organization Name (eg, company) [Default Company Ltd]: World CM LTD. # company Organizational Unit Name (eg, section) []: worldcm.net # department Common Name (eg, your name or your server's hostname) []: mail.worldcm.net # server's FQDN Email Address []: admin@worldcm.net # admin email address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: 1234 An optional company name []: WorldCm
# create certificate with 10 years expiration date
[root@dlp certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok subject=C = JP, ST = Hiroshima, L = Hiroshima, O = GTS, OU = Server World, CN = dlp.srv.world, emailAddress = root@srv.world Getting Private key
[root@dlp certs]# chmod 600 server.key
[root@dlp certs]# ll server.*
-rw-r--r--. 1 root root 1334 Sep 26 01:05 server.crt -rw-r--r--. 1 root root 1062 Sep 26 01:03 server.csr -rw-------. 1 root root 1679 Sep 26 01:02 server.key
# vi /etc/postfix/main.cf
##SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
##SSL
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
# vi /etc/postfix/master.cf
# ==========================================================================
smtp inet n - n - - smtpd -o content_filter=spamassassin
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf
# line 8: change (if set SSL required, specify [required])
ssl = yes
# line 14,15: specify certificates
ssl_cert = </etc/pki/tls/certs/server.crt
ssl_key = </etc/pki/tls/certs/server.key
[root@mail ~]# systemctl restart postfix dovecot
systemctl enable saslauthd
systemctl restart saslauthd
systemctl restart postfix
systemctl restart dovecot
------------------------------------------------------------------------------
----------------------x----------------------------
Securing Postfix Mail Server
It is always recommended secure the communication of between clients and postfix server, this can be achieved using SSL certificates, these certificates can be either from trusted authority or Self Signed Certificates. In this tutorial we will generate Self Signed certificated for postfix using openssl command,
I am assuming openssl is already installed on your system, in case it is not installed then use following dnf command,
# dnf install openssl -y
Generate Private key and CSR (Certificate Signing Request) using beneath openssl command,
# openssl req -nodes -newkey rsa:2048 -keyout mail.key -out mail.csr
Country Name (2 letter code) [XX]: BD
State or Province Name (full name) []: Dhaka
Locality Name (eg, city) [Default City]: Dhaka
Organization Name (eg, company) [Default Company Ltd]: World Communication Network Ltd.
Organizational Unit Name (eg, section) []: worldcm.net
Common Name (eg, your name or your server's hostname) []: mail.worldcm.net
Email Address []: admin@worldcm.net
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: world1234
An optional company name []: worldcm
Now Generate Self signed certificate using following openssl command,
# openssl x509 -req -days 365 -in mail.csr -signkey mail.key -out mail.crt Signature ok subject=C = IN, ST = Dhaka, L = Dhaka, O = IT, OU = IT, CN = mail.worldcm.net, emailAddress = admin@worldcm.net Getting Private key #
Now copy private key and certificate file to /etc/postfix directory
# cp mail.key mail.crt /etc/postfix
Update Private key and Certificate file’s path in postfix configuration file,
# vi /etc/postfix/main.cf## SSL smtpd_use_tls = yes smtpd_tls_cert_file = /etc/postfix/mail.crt smtpd_tls_key_file = /etc/postfix/mail.key smtpd_tls_security_level = may ………
Restart postfix service to make above changes into the effect.
# systemctl restart postfix
[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf
# line 8: change (if set SSL required, specify [required])
ssl = yes
# line 14,15: specify certificates
ssl_cert = </etc/postfix/mail.crt
ssl_key = </etc/postfix/mail.key
[root@mail ~]# systemctl restart postfix dovecot
# vi /etc/postfix/master.cf
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-----------
godaddy SSL Certificate install
-------
8994efb60dd35ce4.crt
8994efb60dd35ce4.pem # Main File
gd_bundle-g2-g1.crt
------
cat 8994efb60dd35ce4.crt gd_bundle-g2-g1.crt >godaddy-21.crt
cat /etc/ssl/private/certdomain.com.crt /etc/ssl/private/certdomain.com.key > /etc/ssl/private/certdomain.com.pem
### SSL/TLS-New-- main.cf
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/mail.worldcm.net.key
smtpd_tls_cert_file = /etc/postfix/godaddy/godaddy-21.crt
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
Webmin Configure->SSL Encryption