SSL

-----------

-

sudo dnf install mod_ssl openssl* cyrus*

#  dnf -y install openssl cyrus*

[root@dlp ~]# cd /etc/pki/tls/certs

[root@dlp certs]# openssl genrsa -aes128 2048 > server.key

Generating RSA private key, 2048 bit long modulus .+++ ...................................................................................+++ e is 65537 (0x010001) Enter pass phrase:                  # set passphrase Verifying - Enter pass phrase:      # confirm

# remove passphrase from private key

[root@dlp certs]# openssl rsa -in server.key -out server.key

Enter pass phrase for server.key:   # input passphrase writing RSA key 

[root@dlp certs]# openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: BD   # country code State or Province Name (full name) []: Dhaka    # state Locality Name (eg, city) [Default City]: Dhaka  # city Organization Name (eg, company) [Default Company Ltd]: World CM LTD.  # company Organizational Unit Name (eg, section) []: worldcm.net     # department Common Name (eg, your name or your server's hostname) []: mail.worldcm.net  # server's FQDN Email Address []: admin@worldcm.net   # admin email address  Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: 1234 An optional company name []: WorldCm

# create certificate with 10 years expiration date

[root@dlp certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok subject=C = JP, ST = Hiroshima, L = Hiroshima, O = GTS, OU = Server World, CN = dlp.srv.world, emailAddress = root@srv.world Getting Private key

[root@dlp certs]# chmod 600 server.key

[root@dlp certs]# ll server.*

-rw-r--r--. 1 root root 1334 Sep 26 01:05 server.crt -rw-r--r--. 1 root root 1062 Sep 26 01:03 server.csr -rw-------. 1 root root 1679 Sep 26 01:02 server.key

#  vi /etc/postfix/main.cf

##SASL

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_authenticated_header = yes

##SSL

smtpd_use_tls = yes

smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt

smtpd_tls_key_file = /etc/pki/tls/certs/server.key

smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

  

# vi /etc/postfix/master.cf

# ==========================================================================

smtp inet n - n - - smtpd -o content_filter=spamassassin

#smtp inet n - n - 1 postscreen

#smtpd pass - - n - - smtpd

#dnsblog unix - - n - 0 dnsblog

#tlsproxy unix - - n - 0 tlsproxy

submission inet n - n - - smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_tls_auth_only=yes

-o smtpd_reject_unlisted_recipient=no

# -o smtpd_client_restrictions=$mua_client_restrictions

# -o smtpd_helo_restrictions=$mua_helo_restrictions

# -o smtpd_sender_restrictions=$mua_sender_restrictions

-o smtpd_recipient_restrictions=

-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

smtps inet n - n - - smtpd

-o syslog_name=postfix/smtps

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

-o smtpd_reject_unlisted_recipient=no

# -o smtpd_client_restrictions=$mua_client_restrictions

# -o smtpd_helo_restrictions=$mua_helo_restrictions

# -o smtpd_sender_restrictions=$mua_sender_restrictions

-o smtpd_recipient_restrictions=

-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

#628 inet n - n - - qmqpd

[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf

# line 8: change (if set SSL required, specify [required])

ssl = yes

# line 14,15: specify certificates

 ssl_cert = </etc/pki/tls/certs/server.crt

 ssl_key = </etc/pki/tls/certs/server.key

[root@mail ~]# systemctl restart postfix dovecot

 systemctl enable saslauthd

 systemctl restart saslauthd

 systemctl restart postfix

 systemctl restart dovecot

------------------------------------------------------------------------------

               ----------------------x----------------------------

Securing Postfix Mail Server

It is always recommended secure the communication of between clients and postfix server, this can be achieved using SSL certificates, these certificates can be either from trusted authority or Self Signed Certificates. In this tutorial we will generate Self Signed certificated for postfix using openssl command,

I am assuming openssl is already installed on your system, in case it is not installed then use following dnf command,

# dnf install openssl -y

Generate Private key and CSR (Certificate Signing Request) using beneath openssl command,

# openssl req -nodes -newkey rsa:2048 -keyout mail.key -out mail.csr

Country Name (2 letter code) [XX]:   BD

State or Province Name (full name) []:   Dhaka

Locality Name (eg, city) [Default City]:  Dhaka

Organization Name (eg, company) [Default Company Ltd]:  World Communication Network Ltd.

Organizational Unit Name (eg, section) []:  worldcm.net

Common Name (eg, your name or your server's hostname) []:  mail.worldcm.net

Email Address []:   admin@worldcm.net

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: world1234

An optional company name []: worldcm

Now Generate Self signed certificate using following openssl command,

# openssl x509 -req -days 365 -in mail.csr -signkey mail.key -out mail.crt Signature ok subject=C = IN, ST = Dhaka, L = Dhaka, O = IT, OU = IT, CN = mail.worldcm.net, emailAddress = admin@worldcm.net Getting Private key #

Now copy private key and certificate file to /etc/postfix directory

# cp mail.key mail.crt /etc/postfix

Update Private key and Certificate file’s path in postfix configuration file,

# vi /etc/postfix/main.cf## SSL smtpd_use_tls = yes smtpd_tls_cert_file = /etc/postfix/mail.crt smtpd_tls_key_file = /etc/postfix/mail.key smtpd_tls_security_level = may ………

Restart postfix service to make above changes into the effect.

# systemctl restart postfix

[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf

# line 8: change (if set SSL required, specify [required])

ssl = yes

# line 14,15: specify certificates

 ssl_cert = </etc/postfix/mail.crt

 ssl_key = </etc/postfix/mail.key

[root@mail ~]# systemctl restart postfix dovecot

# vi /etc/postfix/master.cf

submission inet n       -       n       -       -       smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_reject_unlisted_recipient=no

# -o smtpd_client_restrictions=$mua_client_restrictions

# -o smtpd_helo_restrictions=$mua_helo_restrictions

# -o smtpd_sender_restrictions=$mua_sender_restrictions

-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

---------------------------------------------------------------X----------------------------------------------------------------------

godaddy SSL Certificate install

                     -------

8994efb60dd35ce4.crt

8994efb60dd35ce4.pem    # Main File

gd_bundle-g2-g1.crt

                     ------

cat 8994efb60dd35ce4.crt gd_bundle-g2-g1.crt >godaddy-21.crt

cat /etc/ssl/private/certdomain.com.crt /etc/ssl/private/certdomain.com.key > /etc/ssl/private/certdomain.com.pem

Centos - 6 purban

### SSL/TLS-New--    main.cf

smtpd_use_tls = yes

smtpd_tls_security_level = may

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/ssl/mail.worldcm.net.key

smtpd_tls_cert_file = /etc/postfix/godaddy/godaddy-21.crt

smtpd_tls_loglevel = 0

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2

                                                                                      Webmin Configure->SSL Encryption

  

---------------------------------------------------------------------------

Centos -8 panjeer

 ###SASL

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options=noanonymous

smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains

smtpd_delay_reject = yes

broken_sasl_auth_clients = yes

###  SSL

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/ssl/mail.worldcm.net.key

smtpd_tls_cert_file = /etc/postfix/ssl/mail.worldcm.net.crt

smtpd_tls_CAfile = /etc/postfix/ssl/mail.worldcm.ca-bundle

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

-------------------------------------------------------------------------------------

---------