Geeky, Hosting, Wordpress January 17, 2016 Skippy 17 comments

Let’s encrypt Postfix and Dovecot

Following on from Setting up Sentora and setting up HTTPS on domains, it is now time to do something about the encryption of emails between clients and the server (I have written about end to end encryption on macs before).

I hate playing about Postfix and Dovecot, Paul commented on Twitter that he had managed to get  IMAP and SMTP working with SSL using Let’s Encrypt certificates. I emailed him as every time I try doing anything with email configurations I end up with a headache.

The settings Paul gave me only require the fullchain.pem and privkey.pem files.

Dovecot:

I added the following code at the bottom of /etc/dovecot/dovecot.conf
# Things Philip Changed for SSL

# don't allow non-TLS connections for IMAP or SASL
ssl = required
disable_plaintext_auth = yes

# path to the certificate file, should be root:root and 0444
ssl_cert = </etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem

# path to the private key file, should be root:root and 0400
ssl_key = </etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem

I did ask about the < at the start of the certificate path and it seems dovecot needs this to keep it happy.

To restart dovecot use the command

service dovecot restart

Postfix:

This seems to have a longer config section, an aassumption is that you want to support optional TLS with strong ciphers for when your mail server talks to other mail servers. This won’t make TLS mandatory as not all mail servers support it properly and you might lose mail as a result.

In /etc/postfix/main.cf I commented out lines 67, and 68

#smtp_use_tls = no
#smtpd_use_tls = no
I added the following to the bottom:
# Things Philip Changed for SSL

# Raise log level as default doesn't give much information
smtpd_tls_loglevel = 1

# path to the certificate file, should be root:root and 0444
smtpd_tls_cert_file=/etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem

# path to the private key file, should be root:root and 0400
smtpd_tls_key_file=/etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem

# Allow use of TLS but make it optional
smtpd_use_tls=yes

# Cache sessions for speed improvement
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Disable SSLv2/3 as they are vulnerable
smtpd_tls_protocols = !SSLv2, !SSLv3

# Insist on stronger ciphers
smtpd_tls_ciphers = high

# SASL parameters
# Don't forget permit_sasl_authenticated in smtpd_relay_restrictions
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

restart postfix

service postfix restart

You may ask why all the encryption? well do you want Theresa May reading your emails, and what sites you are going to!?

17 thoughts on “Let’s encrypt Postfix and Dovecot

  1. Very interesting article. Thanks !
    I have just a question. Why do you modify:
    /etc/dovecot/dovecot.conf
    instead of:
    /etc/dovecot/conf.d/10-ssl.conf
    ?

  2. Thanks for your tutorial, but you may note that “smtpd_use_tls” is deprecated and the correct setting is now:

    smtpd_tls_security_level = may

    Also, if you want to turn on encryption on outgoing messages as well, you should add:

    smtp_tls_security_level = may

  3. This works great, no more warning about the SSL certificate in mutt MUA 🙂

    One question: How would one go about configuring the certificate for multiple e-mail domains? I mean, would Dovecot and Postfix accept multiple Certificate / Private Key combinations for different domains, or should I somehow combine the SSL certificates for all domains of interest into one and use that instead?

    BTW, nice article indeed, thanks for sharing!

    1. ./letsencrypt-auto certonly –webroot -w /etc/sentora/panel/ -d njoror.squashedfly.eu -d mail.mcgaw.eu -d mail.freedompress.org.uk -d mail.squashedfly.eu

      I just keep adding them -d domain, this may not be the best way, but it seems to work

  4. Hello, I did everything on this guide but I still get “xxxx.com did not encrypt this message” on gmail 🙁

    I’m sending emails with thunderbird, the account is configured with TLS/SSL, I don’t know what’s wrong…

    Could you help me?

  5. In the maillog i see this when i’m sending an email:

    Anonymous TLS connection established from….xxx.xxx… : TLSv1.2 with cipher ….

  6. Sorry for my “spam” I solved it, it was because I just had:

    smtpd_tls_security_level = may

    And as someone said above, you need both:

    smtpd_tls_security_level = may
    smtp_tls_security_level = may

    Thank you

  7. Hi! I’ve got encrypt running on server through Plesk (and the Security Advisor add-on). However not for mail yet. Right now I’m having this issue that when I add an email address to an email client like Mail, it will tell me the server certificate is not trusted, and I have to tell my iPhone for example to trust that certificate. Does this tutorial also solve that issue?

    Cheers!

  8. Following “I did ask about the < at the start of the certificate path".. part I noticed you actually didn't put the < in the above code.
    Thanks for the post!

  9. In the mean time I still cant figure out how to make it work.

    Here is my thread on Sentora forums. with my main.cf file.

    If someone can help or post their working main.cf file I would be in their debt.

    1. main.cf

      # postfix config file

      # uncomment for debugging if needed
      soft_bounce=yes

      # postfix main
      mail_owner = postfix
      setgid_group = postdrop
      delay_warning_time = 4

      # postfix paths
      html_directory = no
      command_directory = /usr/sbin
      daemon_directory = /usr/lib/postfix
      queue_directory = /var/spool/postfix
      sendmail_path = /usr/sbin/sendmail.postfix
      newaliases_path = /usr/bin/newaliases.postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      sample_directory = /usr/share/doc/postfix-2.2.2/samples
      readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES

      # network settings
      inet_interfaces = all
      mydomain = njoror.squashedfly.eu
      myhostname = njoror.squashedfly.eu
      mynetworks = 127.0.0.1, 213.138.113.144
      mydestination = localhost.$mydomain, localhost
      relay_domains = proxy:mysql:/etc/sentora/configs/postfix/mysql-relay_domains_map s.cf

      # mail delivery
      recipient_delimiter = +
      dovecot_destination_recipient_limit = 1

      # mappings
      alias_maps = hash:/etc/aliases
      alias_database = hash:/etc/aliases
      #transport_maps = hash:/etc/postfix/transport
      #local_recipient_maps =

      # virtual setup
      virtual_alias_maps = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual_alia s_maps.cf,
      regexp:/etc/sentora/configs/postfix/virtual_regexp
      virtual_mailbox_base = /var/sentora/vmail
      virtual_mailbox_domains = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual _domains_maps.cf
      virtual_mailbox_maps = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual_ma ilbox_maps.cf
      virtual_minimum_uid = 999
      virtual_uid_maps = static:999
      virtual_gid_maps = static:8
      virtual_transport = dovecot
      dovecot_destination_recipient_limit = 1

      # debugging
      debug_peer_level = 2
      debugger_command =
      PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
      xxgdb $daemon_directory/$process_name $process_id & sleep 5

      # authentication
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_local_domain = $myhostname
      broken_sasl_auth_clients = yes
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = private/auth

      # tls config
      # smtp_use_tls = no
      # smtpd_use_tls = no
      #smtp_tls_note_starttls_offer = yes
      #smtpd_tls_loglevel = 1
      #smtpd_tls_received_header = yes
      #smtpd_tls_session_cache_timeout = 3600s
      #tls_random_source = dev:/dev/urandom
      #smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
      # Change mail.example.com.* to your host name
      #smtpd_tls_key_file = /etc/pki/tls/private/mail.example.com.key
      #smtpd_tls_cert_file = /etc/pki/tls/certs/mail.example.com.crt
      # smtpd_tls_CAfile = /etc/pki/tls/root.crt

      # rules restrictions
      smtpd_client_restrictions =
      smtpd_helo_restrictions = permit_mynetworks,
      reject_invalid_hostname,
      permit
      smtpd_sender_restrictions = permit_sasl_authenticated,
      permit_mynetworks,
      reject_unknown_sender_domain,
      permit
      smtpd_recipient_restrictions = permit_sasl_authenticated,
      permit_mynetworks,
      permit_inet_interfaces,
      reject_unauth_destination,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_non_fqdn_hostname,
      permit_sasl_authenticated,
      reject_unknown_recipient_domain,
      reject_unauth_destination,
      reject_invalid_hostname
      # uncomment for realtime black list checks. (Warn: will also reject false positi ve)
      ,reject_rbl_client zen.spamhaus.org
      ,reject_rbl_client bl.spamcop.net
      # ,reject_rbl_client dnsbl.sorbs.net
      # Graylist
      # ,check_policy_service inet:127.0.0.1:10023

      smtpd_helo_required = yes
      unknown_local_recipient_reject_code = 550
      disable_vrfy_command = yes
      smtpd_data_restrictions = reject_unauth_pipelining
      smtpd_banner = $myhostname ESMTP

      message_size_limit = 20480000

      # Things Philip Changed for SSL

      # Raise log level as default doesn't give much information
      smtpd_tls_loglevel = 1

      # path to the certificate file, should be root:root and 0444
      smtpd_tls_cert_file=/etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem

      # path to the private key file, should be root:root and 0400
      smtpd_tls_key_file=/etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem

      # Allow use of TLS but make it optional
      smtpd_use_tls=yes

      # Cache sessions for speed improvement
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

      # Disable SSLv2/3 as they are vulnerable
      smtpd_tls_protocols = !SSLv2, !SSLv3

      # Insist on stronger ciphers
      smtpd_tls_ciphers = high

      # SASL parameters
      # Don't forget permit_sasl_authenticated in smtpd_relay_restrictions
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = private/auth
      smtpd_sasl_auth_enable = yes

Leave a Reply