TSL
----------
Configuring Postfix
To send emails from a desktop email client, we need to enable the submission service of Postfix so that the email client can submit emails to Postfix SMTP server. Edit the master.cf file.
sudo nano /etc/postfix/master.cf
In submission section, uncomment or add the following lines. Please allow at least one whitespace (tab or spacebar) before each -o. In postfix configurations, a preceding whitespace character means that this line is continuation of the previous line. (By default the submission section is commented out. You can copy the following lines and paste them into the file, so you don’t have to manually uncomment or add new text.)
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_tls_wrappermode=no -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
The above configuration enables the submission daemon of Postfix and requires TLS encryption. So later on our desktop email client can connect to the submission daemon in TLS encryption. The submission daemon listens on TCP port 587. STARTTLS is used to encrypt communications between email client and the submission daemon.
Microsoft Outlook only supports submission over port 465. If you are going to use Microsoft outlook mail client, then you also need to enable submission service on port 465 by adding the following lines in the file.
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
Save and close the file.
Hint: The SMTP protocol is used when an email client submits emails to an SMTP server.
Next, we need to run the following two commands to specify the location of TLS certificate and private key in Postfix configuration file. Your Let’s Encrypt certificate and private key are stored under /etc/letsencrypt/live/mail.your-domain.com/ directory.
sudo postconf "smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem" sudo postconf "smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem"
If you want to log TLS connections in the mail log (/var/log/maillog), then run the following two commands.
sudo postconf "smtpd_tls_loglevel = 1" sudo postconf "smtp_tls_loglevel = 1"
To disable insecure SSL/TLS versions, open the Postfix main configuration file.
sudo nano /etc/postfix/main.cf
Add the following lines at the bottom of the file. (In Nano text editor, you can quickly go to the bottom of a file by pressing Ctrl+W, then Ctrl+V.)
#Force TLSv1.3 or TLSv1.2 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
Save and close the file. Then reload Postfix for the changes to take effect.
sudo systemctl restart postfix
If you run the following command, you will see Postfix is now listening on port 587 and 465.
sudo netstat -lnpt | grep master
Installing Dovecot IMAP Server
Configuring SSL/TLS Encryption
Next, edit SSL/TLS config file.
sudo nano /etc/dovecot/conf.d/10-ssl.conf
You can find the following line, which requires email clients to communicate with Dovecot with TLS encryption.
ssl = required
Then find the following two lines.
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem
We need to replace values with the location of your SSL/TLS cert and private key. Don’t leave out the < character. It’s necessary.
ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem
Next, find the following line and uncomment it. (Remove the beginning # character.)
#ssl_dh = </etc/dovecot/dh.pem
Find the following line.
#ssl_min_protocol = TLSv1
This specifies the minimum TLS versions used by Dovecot. TLSv1.0 and TLSv1.1 are insecure. so uncomment this line and change the value to TLSv1.2, which will force Dovecot to use TLSv1.2 or TLSv1.3.
ssl_min_protocol = TLSv1.2
Then find the following line.
#ssl_prefer_server_ciphers = no
It’s a good practice to prefer the server’s order of ciphers over client’s, so uncomment this line and change the value to yes.
ssl_prefer_server_ciphers = yes
Save and close the file. Now we need to generate the Diffie-Hellman parameter with:
sudo openssl dhparam -out /etc/dovecot/dh.pem 4096
If your mail server has a single CPU core, then this is going to take a long time (about 10 minutes). If you can’t wait, you can generate the DH parameters on your local Linux computer, then upload the file to the /etc/dovecot/ directory on the mail server.
Auto-create Sent and Trash Folder
Edit the below config file.
sudo nano /etc/dovecot/conf.d/15-mailboxes.conf
To auto-create a folder, simply add the following line in the mailbox section.
auto = create
Example:
mailbox Trash { auto = create special_use = \Trash }
Some common folders you will want to create includes: Drafts, Junk, Trash and Sent. These folders will be created at the user’s home directory. After you save and close all above config files, restart Dovecot.
sudo systemctl restart dovecot
Dovecot will be listening on port 143 (IMAP) and 993 (IMAPS), as can be seen with:
sudo netstat -lnpt | grep dovecot
If there’s a configuration error, dovecot will fail to restart, so it’s a good idea to check the status of Dovecot.
systemctl status dovecot
We also need to restart Postfix to allow the LOGIN authentication mechanism.
sudo systemctl restart postfix
------------