Secure Sockets Layer (SSL) and later versions: Transport Layer Security (TLS) are two of the most widely used protocols used to encrypt data transmitted between servers and clients. These protocols often use X.509 certificates and asymmetric encryption methods.
STARTTTLS is another method to ensure the security of plaintext communication. This Protocol also uses SSL or TLS to encrypt data, but uses the same port as the plain text protocol, instead of using another port to transmit data encrypted by SSL/TLS. For example, the IMAP Based on STARTTLS uses the same port (port 143) as the IMAP, while the SSL-based IMAP (IMAPS) uses a separate port: Port 993.
The previous tutorial (http://xmodulo.com/2014/01/mail-server-ubuntu-debian.html) described how to build a mail server running on Postfix and Dovecot, but did not address the security aspect. In this tutorial, we will demonstrate how to add security to the mail server through the TLS/SSL encryption technology.
The certificates required for TLS/SSL can be self-signed, signed by a free Ca (such as CAcert), or signed by a commercial Ca (such as VeriSign, it can be generated by using OpenSSL and other utilities. We are going to use a self-signed certificate in this tutorial.
Register TLS encryption for Postfix
You can use the following command to create a self-signed certificate.
# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/postfixcert.pem -keyout /etc/ssl/private/postfixkey.pem
The preceding command requests a new certificate. The certificate type is X.509, which is valid for 365 days. The optional-nodes parameter specifies that private keys should not be encrypted. The output Certificate file is saved as postfixcert. pem, and the output key file is saved as postfixkey. pem.
You can assign all required values to the certificate:
Country Name (2 letter code) [AU]:BDState or Province Name (full name) [Some-State]:DhakaLocality Name (eg, city) []:DhakaOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Example.tstCommon Name (e.g. server FQDN or YOUR name) []:mail.example.tstEmail Address []:sarmed@example.tst
As the certificate is ready, you can adjust the necessary parameters in the postfix configuration file:
Root @ mail :~ # Vim/etc/postfix/main. cf ### STARTTLS enabled ### smtpd_tls_security_level = maysmtpd_tls_received_header = yessmtpd_tls_auth_only = yes ## when troubleshooting, use loglevel 3 ### smtpd_tls_loglevel = 1 ### certificate and key file path ### smtpd_tls_cert_file =/etc/ssl/certs/postfixcert. pemsmtpd_tls_key_file =/etc/ssl/private/postfixkey. pemsmtpd_use_tls = yes
Restart postfix to enable TLS.
root@mail:~# service postfix restart
At this point, postfix is ready to encrypt the data sent to and from the server. More details about Postfix TLS support can be found in official README (http://www.postfix.org/TLS_README.html.
Enable SSL encryption for Dovecot
The method for configuring dovecot for encryption is similar to that for postfix.
First, the self-signed certificate is created using openssl:
# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecotcert.pem -keyout /etc/ssl/private/dovecotkey.pem
The preceding command requests a new X.509 certificate, which is valid for 365 days. -The nodes parameter specifies that the stored private key should not be encrypted. The output Certificate file will be dovecotcert. pem, and the output key file will be dovecotkey. pem.
All necessary parameters must be explicitly specified in the certificate:
Country Name (2 letter code) [AU]:BDState or Province Name (full name) [Some-State]:DhakaLocality Name (eg, city) []:DhakaOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Example.tstCommon Name (e.g. server FQDN or YOUR name) []:mail.example.tstEmail Address []:sarmed@example.tst
Next, add the certificate path to the dovecot configuration.
root@mail:~# vim /etc/dovecot/conf.d/10-ssl.confssl_cert =ssl_key =
Finally, restart dovecot to enable SSL with the new certificate.
root@mail:~# service dovecot restart
Thunderbird mail client Configuration
The following screen snapshot shows how to configure accounts in Mozilla Thunderbird.
Troubleshooting
First, make sure all necessary ports are allowed in the firewall.
Next, try to connect to the mail server via telnet. You should be able to connect. The following examples are provided for reference only.
Connect to IMAPS
$ telnet mail.example.tst 993Trying mail.example.tst...Connected to mail.example.tst.Escape character is '^]'.exitexitConnection closed by foreign host.
Connect to POP3S
$ telnet mail.example.tst 995Trying mail.example.tst...Connected to mail.example.tst.Escape character is '^]'.exitexitConnection closed by foreign host.
Connect to SMTP
$ Telnet mail. example. tst 25 Trying mail. example. tst... connected to mail. example. tst. escape character is '^]'. 220 mail. example. tst ESMTP Postfix (Ubuntu) ### command ### ehlo mail. example. tst250-mail.example.tst250-PIPELINING250-SIZE 1024116250-vrfy250-etrn250-starttls250-enhancedstatuscodes250-8bitmime250 DSN
Address: http://xmodulo.com/2014/01/secure-mail-server-using-encryption.html