This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Centos 7 | Postfix and Dovecot SSL/TLS with StartSSL certificate
#1
Centos 7 | Postfix and Dovecot SSL/TLS with StartSSL certificate
First create a directory where we will keep certificates…
Code:
mkdir /etc/sentora/certs/

change the working directory
Code:
cd /etc/sentora/certs/

Create .key and .csr (Cert Signing Request) certificates
Code:
openssl req -nodes -newkey rsa:2048 -keyout sub.domain.com.key -out sub.domain.com.csr

Make private key, well, private =)
Code:
chmod 0640 sub.domain.com.key

copy the .csr (Cert Signing Request) so you can use it with StartSSL
Code:
cat sub.domain.com.csr

copy from (included)
Code:
-----BEGIN CERTIFICATE REQUEST-----
to (included)

Code:
-----BEGIN CERTIFICATE REQUEST-----

  1. register for free account on www.startssl.com. (Validation back and forth…)
  2. The generated certificate will be issued for the domain (subdomain) you entered in previous step !
  3. After successful registration/validation click on “Certificates wizard”.
  4. Select “Web Server SSL/TLS Certificate” and click next.
  5. At next step click skip (You’ve generated CSR a while ago)
  6. Paste the CSR into the textarea and click continue.
  7. Click continue again
  8. Select your domain and click continue
  9. Enter subdomain in the field (e.g. mail.domain.com - !!! This should be the same as your reverse DNS lookup !!!)
  10. Verify the domain and subdomain and click Continue
Click on “Tool Box” and select “Retrieve Certificate”
Select certificate according to hostname you’ve entered in previous step and hit continue. (mail.domain.com)
Copy textarea content to clipboard

and…
Code:
vi sub.domain.com.crt
paste the clipboard content to file and save it.

get the CA cert
Code:
wget https://www.startssl.com/certs/ca.pem

edit postfix master.cf file and enable port 465(smtp over SSL) and 587 (TLS)
Code:
vi /etc/postfix/master.cf

here is my configuration SMTP port 25, SMTPS port 465 and SUBMISSION port 587 (amavisd-new was commented out at this point. We'll get to that in another tutorial =)
Code:
smtp      inet  n       -       n       -       -       smtpd
 -o smtpd_sasl_auth_enable=yes
 -o receive_override_options=no_address_mappings
#  -o content_filter=smtp-amavis:127.0.0.1:10024
smtps     inet  n       -       n       -       -       smtpd
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_tls_wrappermode=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_etrn_restrictions=reject
#  -o content_filter=smtp-amavis:127.0.0.1:10024
submission inet n       -       n       -       -       smtpd
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_tls_wrappermode=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_etrn_restrictions=reject
#  -o content_filter=smtp-amavis:127.0.0.1:10024

We need to add certificates to the postfix main.cf file
edit the file
Code:
vi /etc/postfix/main.cf

Find and change # TLS config like this (replace all lines under # tls config)
Code:
# tls config
smtp_use_tls = yes
smtpd_use_tls = yes
# Disable SSLV3 - POODLE - Begin
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
# Disable SSLV3 - POODLE - End
smtpd_tls_auth_only = no
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_tls_key_file = /etc/sentora/certs/sub.domain.com.key
smtpd_tls_cert_file = /etc/sentora/certs/sub.domain.com.crt
smtpd_tls_CAfile = /etc/sentora/certs/ca.pem

restart postfix and do some testing


Code:
telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 sub.domain.com ESMTP
ehlo test.com
250-sub.domain.com
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
It works!
Also try ports 465 and 587

The Dovecot part…

edit the file
Code:
vi /etc/dovecot/dovecot.conf

find this line and delete it
Code:
ssl = no

after the line
Code:
#log_timestamp
was present only in Ubuntu file
paste the following and change .crt and .key file names
Code:
# SSL configuration - Begin
ssl = yes
ssl_cert = </etc/sentora/certs/sub.domain.com.crt
ssl_key = </etc/sentora/certs/sub.domain.com.key
 # Disable SSLV3 - Poodle
 ssl_protocols = !SSLv2 !SSLv3
# SSL configuration - End

Restart the dovecot
Code:
systemctl restart dovecot

Test the dovecot…
Code:
telnet localhost 110
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
quit
+OK Logging out
Connection closed by foreign host.

also test the imap (port 143), imaps (port 993) and pop3s (port 995)

When setting up mail clients for hosted domains and if you want to avoid “certificate could not be verified”, you need to set incoming(POP/IMAP) and outgoing(SMTP) server to mail.domain.com (remember OpenSSL subdomain?). You should also set the reverse DNS lookup and postfix config to the same hostname.

Edit postfix file
Code:
vi /etc/postfix/main.cf
Find this line and double check hostname
Code:
myhostname = mail.domain.com

That’s it! Go grab a beer! Cheers.
Reply
Thanks given by:
#2
RE: Centos 7 | Postfix and Dovecot SSL/TLS with StartSSL certificate
I wonder if it works on centos 6?
Reply
Thanks given by:
#3
RE: Centos 7 | Postfix and Dovecot SSL/TLS with StartSSL certificate
Yep should work with centos 6 as no big change there.
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#4
RE: Centos 7 | Postfix and Dovecot SSL/TLS with StartSSL certificate
i got some errors after configuring postfix
can't telnet to port 465 and 587
here is the error

Code:
Dec  5 21:05:44 mailserv postfix/smtpd[1018]: SSL_accept error from localhost[127.0.0.1]: -1
Dec  5 21:05:44 mailserv postfix/smtpd[1018]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s2    3_srvr.c:649:
Dec  5 21:05:44 mailserv postfix/smtpd[1018]: lost connection after CONNECT from localhost[127.0.0.1]
Dec  5 21:05:44 mailserv postfix/smtpd[1018]: disconnect from localhost[127.0.0.1]

and i can't send email to outlook/hotmail email address
the log says
Code:
Dec  5 22:44:55 mailserv postfix/cleanup[3023]: DCFA11429AF: message-id=<005b01d12f73$e3221060$a9663120$@mydomain.com>
Dec  5 22:44:55 mailserv opendkim[31509]: DCFA11429AF: DKIM-Signature field added (s=mail, d=mydomain.com)
Dec  5 22:44:55 mailserv postfix/qmgr[3002]: DCFA11429AF: from=<admin@mydomain.com>, size=5428, nrcpt=1 (queue active)
Dec  5 22:44:57 mailserv postfix/smtp[3024]: DCFA11429AF: to=<clientmail@outlook.com>, relay=mx1.hotmail.com[65.54.188.110]:25, delay=2.9, delays=0.29/0.01/1.5/1.1, dsn=2.0.0, status=sent (250  <005b01d12f73$e3221060$a9663120$@mydomain.com> Queued mail for delivery)
Dec  5 22:44:57 mailserv postfix/qmgr[3002]: DCFA11429AF: removed
Reply
Thanks given by:
#5
RE: Centos 7 | Postfix and Dovecot SSL/TLS with StartSSL certificate
hi there good tutorial, I am new here.... Do I have to do it for every domain name that I host on a vps running centos 6?
Also Can I use a self generated certificate?

Thanks

Sorted!!!! LOL

Just installed another VPS with ubuntu....
Reply
Thanks given by:
#6
RE: Centos 7 | Postfix and Dovecot SSL/TLS with StartSSL certificate
Hello,
I started with a fresh installation and followed this guide. It works! Thank you.
However when I test my ports with telnet only 143 and 25 work.
Could someone advise me how to get this working on port 993/587?
Thank you in advance (and yes, I did try google)

Solved: Test 993 with openssl s_client -connect mail.domain.com:993 -quiet
Enabled Port 587 by adding "587 inet n - n - - smtpd" to master.cf of postfix
Reply
Thanks given by:
#7
RE: Centos 7 | Postfix and Dovecot SSL/TLS with StartSSL certificate
It seems steps 2 to 10 in creating accounts in startssl.com are not needed anymore.
It is confusing in startssl.com now.
Can you update this part?
Thanks
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Fail2ban for Sentora (Centos 7) bbspike 14 44 ,369 01-14-2020, 07:32 AM
Last Post: Vedran B
[How To] Update from PHP v5.4.16 to v5.6.31 (Includes suhosin patch) [CentOS] betatester3.0 5 16 ,728 03-18-2019, 01:23 AM
Last Post: BigBang
Help me! how to remove ssl certificate longhb 2 7 ,033 07-11-2018, 05:03 AM
Last Post: TGates

Forum Jump:


Users browsing this thread: 1 Guest(s)