20 mins secure email setup with Postfix, Dovecot and OpenSSL
Oct 17, 2010

I’ve set up lots of email servers in the past years and everytime I run into new issues as software and email usage evolves. This time I’ve got the perfect email set up, in my opinion and for my needs. I’ll describe what I used and the rationale behind it.

What i wanted to achieve is to have an smtp server that support encrypted authentication. Why? Well, I don’t want anybody using my smtp server but only people that have a valid user/password (/etc/passwd). The other requirement is that those credentials, when sent, are encrypted.

Also, I want to have an imap server setup for the users to have a system where they can login and read their emails. However, I also want the users to authenticate using their system’s user/password and encrypted.

Final wish. I’d like to use Maildir style instead of mbox. In my opinion, Maildir is much easier to manage and performs better.
If you’d like to read more about mbox/Maildir here’s a link http://www.linuxmail.info/mbox-maildir-mail-storage-formats/

I will not talk about spam control as I’ll deal with it when it becomes an issue.

Ingredients:
OS: Debian
smtp: Postfix
imap: Dovecot
encryption: Openssl

So let’s start. First part is to get the smtp server going. This will serve as a way to send emails. Postfix is a widely used smtp server that is reliable, easy to install and includes lots of goodies.

SMTP Setup (Postfix)

1. Install postfix


$ sudo apt-get install postfix

2. Since postfix will use dovecot for authentication, we’ll install it at this time


$ sudo apt-get install dovecot

3. Configure postfix
Pretty much it should work out of the box with the default settings but I’ll tweak a few.

First I’ll deal with the encryption part. You can use the self-signed certificate that come with the package or create your own. Either one works for the purpose of this setup. I will create my own. This command will create an smtpd.key and smtpd.cert file

$ openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509

Let’s move the certs to a safe place


$ mv smtpd.cert /etc/ssl/certs/
$ mv smtpd.key /etc/ssl/private/

Let’s configure postfix to use the newly created cert


$ vi /etc/postfix/main.cf
find the smtpd_tls_cert_file and and key_file lines and replaced them with this
smtpd_tls_cert_file=/etc/ssl/certs/smtpd.cert
smtpd_tls_key_file=/etc/ssl/private/smtpd.key

And uncomment all the TLS settings. In the end the TLS part should look like this

  1. TLS parameters
    smtpd_tls_cert_file=/etc/ssl/certs/smtpd.cert
    smtpd_tls_key_file=/etc/ssl/private/smtpd.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_security_level = may

Next up is the authentication part. Here’s where I make use of the the dovecot authentication library.


vi /etc/postfix/main.cf

Edit the sasl block and make it look like this

#Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, permit
broken_sasl_auth_clients = yes

Here we tell it to use dovecot as the auth library
and in the restriction part, to permit known networks, authenticated clients and reject unauthorized destinations

Lastly on this file is to tell it to use Maildir format


#Mailbox
home_mailbox = Maildir/

Almost there. Last but not least, is to edit the master.cf file to enable smtp over ssl (smtps)


vi /etc/postfix/master.cf

Comment out the smtps part and make it look like this


smtps inet n – – – – smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

Tip: If you’re having problems and want a more verbose log to troubleshoot, append -v to smtpd on the first line

smtps inet n – – – – smtpd -v

This enable smtp over a secure channel and add options to use authentication
Leave the rest of the file as is

That’s all for the postfix part. Go ahead and restart postfix


/etc/init.d/postfix restart

Let’s make sure it’s our configuration looks good

telnet localhost 25

$ telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 saffie.ca ESMTP Postfix (Debian/GNU)
ehlo localhost
250-saffie.ca
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

by looking at this STARTTLS tell us that encryption is enabled and that PLAIN LOGIN are the accepted authorization types
If ssl is running correctly, it should be listening on port 465.

root@www:~# telnet localhost 465
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

There it is!

IMAP Setup (Dovecot)

Now let’s configure our imap server, Dovecot

$ sudo vi /etc/dovecot/dovecot.conf

Make sure your file includes the following:

mechanisms = plain login

mail_location = maildir:~/Maildir

#authorization config
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
mode = 0660
path = /var/spool/postfix/private/auth
user = postfix
group = postfix
}
}
}

This tells our imap server to support plain and login authorization mechanisms, use pam and the passwd database.

Restart dovecot

$ sudo /etc/init.d/dovecot restart

let’s make sure the imap service is running. It should be listening on port 143 and 993 for secured imap

root@www:~# telnet localhost 143
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

  • OK Dovecot ready.

root@www:~# telnet localhost 993
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

That’s all you can now configure your clients with the the following imap settings

use SSL
port 993
password authentication

smtp settings
use SSL
port 465
password authentication

Components for a different post:
Spam control
Maildir setup
openldap integration

Happy secure emailing!


Comments
Jerryutib
Mar 04,2014
Below is a standout, highlighted casino some of which are the ideas. casino online http://bastasvenskakasino.eu/ - svenska online casino online casino sverige <a hrefs="http://kluhartem.com/">casino bonus utan ins├Ąttning</a> We could have contacted several journalists, editors and publishers like The9 and Yodo1 rely on it.
Name:
Comment: