Following on from Setting up Sentora and setting up HTTPS on domains, it is now time to do something about the encryption of emails between clients and the server (I have written about end to end encryption on macs before).

I hate playing about Postfix and Dovecot, Paul commented on Twitter that he had managed to get  IMAP and SMTP working with SSL using Let’s Encrypt certificates. I emailed him as every time I try doing anything with email configurations I end up with a headache.

The settings Paul gave me only require the fullchain.pem and privkey.pem files.

Dovecot:

I added the following code at the bottom of /etc/dovecot/dovecot.conf
# Things Philip Changed for SSL

# don't allow non-TLS connections for IMAP or SASL
ssl = required
disable_plaintext_auth = yes

# path to the certificate file, should be root:root and 0444
ssl_cert = </etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem

# path to the private key file, should be root:root and 0400
ssl_key = </etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem

I did ask about the < at the start of the certificate path and it seems dovecot needs this to keep it happy.

To restart dovecot use the command

service dovecot restart

Postfix:

This seems to have a longer config section, an aassumption is that you want to support optional TLS with strong ciphers for when your mail server talks to other mail servers. This won’t make TLS mandatory as not all mail servers support it properly and you might lose mail as a result.

In /etc/postfix/main.cf I commented out lines 67, and 68

#smtp_use_tls = no
#smtpd_use_tls = no
I added the following to the bottom:
# Things Philip Changed for SSL

# Raise log level as default doesn't give much information
smtpd_tls_loglevel = 1

# path to the certificate file, should be root:root and 0444
smtpd_tls_cert_file=/etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem

# path to the private key file, should be root:root and 0400
smtpd_tls_key_file=/etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem

# Allow use of TLS but make it optional
smtpd_use_tls=yes

# Cache sessions for speed improvement
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Disable SSLv2/3 as they are vulnerable
smtpd_tls_protocols = !SSLv2, !SSLv3

# Insist on stronger ciphers
smtpd_tls_ciphers = high

# SASL parameters
# Don't forget permit_sasl_authenticated in smtpd_relay_restrictions
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

restart postfix

service postfix restart

You may ask why all the encryption? well do you want Theresa May reading your emails, and what sites you are going to!?