Following on from Setting up Sentora and setting up HTTPS on domains, it is now time to do something about the encryption of emails between clients and the server (I have written about end to end encryption on macs before).
I hate playing about Postfix and Dovecot, Paul commented on Twitter that he had managed to get IMAP and SMTP working with SSL using Let’s Encrypt certificates. I emailed him as every time I try doing anything with email configurations I end up with a headache.
The settings Paul gave me only require the fullchain.pem and privkey.pem files.
Dovecot:
I added the following code at the bottom of /etc/dovecot/dovecot.conf
# Things Philip Changed for SSL # don't allow non-TLS connections for IMAP or SASL ssl = required disable_plaintext_auth = yes # path to the certificate file, should be root:root and 0444 ssl_cert = </etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem # path to the private key file, should be root:root and 0400 ssl_key = </etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
I did ask about the < at the start of the certificate path and it seems dovecot needs this to keep it happy.
To restart dovecot use the command
service dovecot restart
Postfix:
This seems to have a longer config section, an aassumption is that you want to support optional TLS with strong ciphers for when your mail server talks to other mail servers. This won’t make TLS mandatory as not all mail servers support it properly and you might lose mail as a result.
In /etc/postfix/main.cf I commented out lines 67, and 68
#smtp_use_tls = no #smtpd_use_tls = no
I added the following to the bottom:
# Things Philip Changed for SSL
# Raise log level as default doesn't give much information
smtpd_tls_loglevel = 1
# path to the certificate file, should be root:root and 0444
smtpd_tls_cert_file=/etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
# path to the private key file, should be root:root and 0400
smtpd_tls_key_file=/etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
# Allow use of TLS but make it optional
smtpd_use_tls=yes
# Cache sessions for speed improvement
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Disable SSLv2/3 as they are vulnerable
smtpd_tls_protocols = !SSLv2, !SSLv3
# Insist on stronger ciphers
smtpd_tls_ciphers = high
# SASL parameters
# Don't forget permit_sasl_authenticated in smtpd_relay_restrictions
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
restart postfix
service postfix restart
You may ask why all the encryption? well do you want Theresa May reading your emails, and what sites you are going to!?
17 thoughts on “Let’s encrypt Postfix and Dovecot”
Thanks a LOT, with this Gmail gives me “Standard TLS”. No more red locks! [1]
[1] https://support.google.com/mail/answer/7039474?hl=en
Very interesting article. Thanks !
I have just a question. Why do you modify:
/etc/dovecot/dovecot.conf
instead of:
/etc/dovecot/conf.d/10-ssl.conf
?
no reason, will have a look into why not the other
Thanks for your tutorial, but you may note that “smtpd_use_tls” is deprecated and the correct setting is now:
smtpd_tls_security_level = may
Also, if you want to turn on encryption on outgoing messages as well, you should add:
smtp_tls_security_level = may
Thanks!!!!!!
This works great, no more warning about the SSL certificate in mutt MUA 🙂
One question: How would one go about configuring the certificate for multiple e-mail domains? I mean, would Dovecot and Postfix accept multiple Certificate / Private Key combinations for different domains, or should I somehow combine the SSL certificates for all domains of interest into one and use that instead?
BTW, nice article indeed, thanks for sharing!
./letsencrypt-auto certonly –webroot -w /etc/sentora/panel/ -d njoror.squashedfly.eu -d mail.mcgaw.eu -d mail.freedompress.org.uk -d mail.squashedfly.eu
I just keep adding them -d domain, this may not be the best way, but it seems to work
Hello, I did everything on this guide but I still get “xxxx.com did not encrypt this message” on gmail 🙁
I’m sending emails with thunderbird, the account is configured with TLS/SSL, I don’t know what’s wrong…
Could you help me?
In the maillog i see this when i’m sending an email:
Anonymous TLS connection established from….xxx.xxx… : TLSv1.2 with cipher ….
Sorry for my “spam” I solved it, it was because I just had:
smtpd_tls_security_level = may
And as someone said above, you need both:
smtpd_tls_security_level = may
smtp_tls_security_level = may
Thank you
I am glad that you managed to get it resolved 🙂
Hi! I’ve got encrypt running on server through Plesk (and the Security Advisor add-on). However not for mail yet. Right now I’m having this issue that when I add an email address to an email client like Mail, it will tell me the server certificate is not trusted, and I have to tell my iPhone for example to trust that certificate. Does this tutorial also solve that issue?
Cheers!
This replaces a self signed certificate with certificate issued by a trusted CA
Following “I did ask about the < at the start of the certificate path".. part I noticed you actually didn't put the < in the above code.
Thanks for the post!
Has WordPress done the annoying thing of ‘correcting’ my code section?
In the mean time I still cant figure out how to make it work.
Here is my thread on Sentora forums. with my main.cf file.
If someone can help or post their working main.cf file I would be in their debt.
main.cf
# postfix config file
# uncomment for debugging if needed
soft_bounce=yes
# postfix main
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4
# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.2/samples
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
# network settings
inet_interfaces = all
mydomain = njoror.squashedfly.eu
myhostname = njoror.squashedfly.eu
mynetworks = 127.0.0.1, 213.138.113.144
mydestination = localhost.$mydomain, localhost
relay_domains = proxy:mysql:/etc/sentora/configs/postfix/mysql-relay_domains_map s.cf
# mail delivery
recipient_delimiter = +
dovecot_destination_recipient_limit = 1
# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#transport_maps = hash:/etc/postfix/transport
#local_recipient_maps =
# virtual setup
virtual_alias_maps = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual_alia s_maps.cf,
regexp:/etc/sentora/configs/postfix/virtual_regexp
virtual_mailbox_base = /var/sentora/vmail
virtual_mailbox_domains = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual _domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual_ma ilbox_maps.cf
virtual_minimum_uid = 999
virtual_uid_maps = static:999
virtual_gid_maps = static:8
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# debugging
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
# authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# tls config
# smtp_use_tls = no
# smtpd_use_tls = no
#smtp_tls_note_starttls_offer = yes
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom
#smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
# Change mail.example.com.* to your host name
#smtpd_tls_key_file = /etc/pki/tls/private/mail.example.com.key
#smtpd_tls_cert_file = /etc/pki/tls/certs/mail.example.com.crt
# smtpd_tls_CAfile = /etc/pki/tls/root.crt
# rules restrictions
smtpd_client_restrictions =
smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_hostname,
permit
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_sender_domain,
permit
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
permit_inet_interfaces,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
permit_sasl_authenticated,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_invalid_hostname
# uncomment for realtime black list checks. (Warn: will also reject false positi ve)
,reject_rbl_client zen.spamhaus.org
,reject_rbl_client bl.spamcop.net
# ,reject_rbl_client dnsbl.sorbs.net
# Graylist
# ,check_policy_service inet:127.0.0.1:10023
smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_banner = $myhostname ESMTP
message_size_limit = 20480000
# Things Philip Changed for SSL
# Raise log level as default doesn't give much information
smtpd_tls_loglevel = 1
# path to the certificate file, should be root:root and 0444
smtpd_tls_cert_file=/etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
# path to the private key file, should be root:root and 0400
smtpd_tls_key_file=/etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
# Allow use of TLS but make it optional
smtpd_use_tls=yes
# Cache sessions for speed improvement
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Disable SSLv2/3 as they are vulnerable
smtpd_tls_protocols = !SSLv2, !SSLv3
# Insist on stronger ciphers
smtpd_tls_ciphers = high
# SASL parameters
# Don't forget permit_sasl_authenticated in smtpd_relay_restrictions
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes