Part 9. Encrypt mail traffic
- Category: Mail Server
- Published: Thursday, 04 July 2019 13:33
- Written by Super User
- Hits: 1411
It's quite dangerous to use unencrypted traffic on the mail server.This is not due to the interception of emails, but to the fact that an attacker can intercept a user's login and password from a user and use this information to send spam messages.
Encryption uses SSL certificates. If we can buy a certificate from a certification authority - then buy, if not, generate self-signed certificate. This is done by the command:
openssl req -new -nodes -x509 -out smtpd.pem -keyout smtpd.pem -days 3650
The req command forces OpenSSL to create a certificate.
Parameters of this command:
-new - Create a certificate request
-nodes - do not encrypt a private key
-x509 (спільно з -new) - create self-signed certificate
-keyout - Specifies the location of the private key,
-out - specifies the location of the self-signed certificate,
-days - Specifies the validity period of the certificate (365x10 days, which is approximately equal to ten years).
In the process of executing a command, will be asked to enter such parameters as: Country Name, State or Province Name; Locality Name; Organization Name; Organizational Unit Name; Common Name; Email Address. The most important parameter is Common Name. In our case, it should be the same as the FQDN-name of the server, on which clients will be contacted by the server for sending and receiving mail.
Traffic Encrypting in Postfix
Now set up Postfix work with certificates
In the /etc/postfix/main.cf file add lines
smtpd_tls_auth_only = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_note_starttls_offer = yes
If you were given a root trusted certificate when you purchased your certificate, we add a line to the main.cf file:
smtpd_tls_CAfile = /etc/postfix/root.crt
Explaining the parameters
smtp_use_tls - use TLS, if the remote server announces TLS support,
smtpd_use_tls - inform clients about TLS support,
smtpd_tls_auth_only - Use SMTP authentication only for TLS connections,
smtpd_tls_key_file - The location of the private server key,
smtpd_tls_cert_file - server certificate location,
smtpd_tls_session_cache_database - The file with the tls session cache
smtp_tls_note_starttls_offer - record in logs the names of the servers issuing the STARTTLS message, the TLS support for which is not enabled.
smtpd_tls_CAfile - trusted certificate location
SMTP submission on
In the /etc/postfix/master.cf file, we will add (or uncomment) the following lines
submission inet n - - - - smtpd
The server administrators choose which port they will use your customers to relay outgoing mail - 25 or 587. Specifications and many servers support both ports. Although some servers support port 465 for secure SMTP, it is better to use standard ports and ESMTP commands when it is necessary to establish a secure session between the client and the server.
Differences between ports 25, 465, 587. The connection must open immediately with TLS/SSL encryption on the 465 port. Port 587 works the same way as the 25: open connection, and the STARTTLS command is provided to enable encryption, if the server has declared such option in response to EHLO from the client. SMTPS (port 465) is an older standard, STARTTLS is newer one and, of course, more flexible.
For Dovecot can generate a new certificate and key or can use the same as for Postfix. In the case of purchasing certificates, certificates are likely to be the same.
In the file /etc/dovecot/conf.d/10-ssl.conf let’s write the parameters:
#Enable encryption support
ssl = yes
#Specify the path to the files with the private key and the certificate
ssl_cert = </etc/postfix/smtpd.pem
ssl_key = </etc/postfix/smtpd.pem
After that, you need to restart Postfix and Dovecot
service postfix restart
service dovecot restart
Now our mail server supports encrypted connections. For customers, port 587 for sending e-mails and port 993 for encrypted IMAP are available.
You can buy the book "Mail server based on Postfix, Dovecot and RoundCube" in electronic form in the store
You can buy the book
"Mail server based on Postfix,
Dovecot and RoundCube"
in electronic form in the store