Centos 7 | Postfix and Dovecot SSL/TLS with StartSSL certificate

[paknet]

First create a directory where we will keep certificates…

Code:

mkdir /etc/sentora/certs/

change the working directory

Code:

cd /etc/sentora/certs/

Create .key and .csr (Cert Signing Request) certificates

Code:

openssl req -nodes -newkey rsa:2048 -keyout sub.domain.com.key -out sub.domain.com.csr

Make private key, well, private =)

Code:

chmod 0640 sub.domain.com.key

copy the .csr (Cert Signing Request) so you can use it with StartSSL

Code:

cat sub.domain.com.csr

copy from (included)

Code:

-----BEGIN CERTIFICATE REQUEST-----

to (included)

Code:

-----BEGIN CERTIFICATE REQUEST-----

1. register for free account on www.startssl.com. (Validation back and forth…)
   
2. The generated certificate will be issued for the domain (subdomain) you entered in previous step !
   
3. After successful registration/validation click on “Certificates wizard”.
   
4. Select “Web Server SSL/TLS Certificate” and click next.
   
5. At next step click skip (You’ve generated CSR a while ago)
   
6. Paste the CSR into the textarea and click continue.
   
7. Click continue again
   
8. Select your domain and click continue
   
9. Enter subdomain in the field (e.g. mail.domain.com - !!! This should be the same as your reverse DNS lookup !!!)
   
10. Verify the domain and subdomain and click Continue
    

Click on “Tool Box” and select “Retrieve Certificate”
Select certificate according to hostname you’ve entered in previous step and hit continue. (mail.domain.com)
Copy textarea content to clipboard

and…

Code:

vi sub.domain.com.crt

paste the clipboard content to file and save it.

get the CA cert

Code:

wget https://www.startssl.com/certs/ca.pem

edit postfix master.cf file and enable port 465(smtp over SSL) and 587 (TLS)

Code:

vi /etc/postfix/master.cf

here is my configuration SMTP port 25, SMTPS port 465 and SUBMISSION port 587 (amavisd-new was commented out at this point. We'll get to that in another tutorial =)

Code:

smtp      inet  n       -       n       -       -       smtpd
 -o smtpd_sasl_auth_enable=yes
 -o receive_override_options=no_address_mappings
#  -o content_filter=smtp-amavis:127.0.0.1:10024
smtps     inet  n       -       n       -       -       smtpd
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_tls_wrappermode=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_etrn_restrictions=reject
#  -o content_filter=smtp-amavis:127.0.0.1:10024
submission inet n       -       n       -       -       smtpd
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_tls_wrappermode=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_etrn_restrictions=reject
#  -o content_filter=smtp-amavis:127.0.0.1:10024

We need to add certificates to the postfix main.cf file
edit the file

Code:

vi /etc/postfix/main.cf

Find and change # TLS config like this (replace all lines under # tls config)

Code:

# tls config
smtp_use_tls = yes
smtpd_use_tls = yes
# Disable SSLV3 - POODLE - Begin
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
# Disable SSLV3 - POODLE - End
smtpd_tls_auth_only = no
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_tls_key_file = /etc/sentora/certs/sub.domain.com.key
smtpd_tls_cert_file = /etc/sentora/certs/sub.domain.com.crt
smtpd_tls_CAfile = /etc/sentora/certs/ca.pem

restart postfix and do some testing

Code:

telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 sub.domain.com ESMTP
ehlo test.com
250-sub.domain.com
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

It works!
Also try ports 465 and 587

The Dovecot part…

edit the file

Code:

vi /etc/dovecot/dovecot.conf

find this line and delete it

Code:

ssl = no

after the line

Code:

#log_timestamp

was present only in Ubuntu file

paste the following and change .crt and .key file names

Code:

# SSL configuration - Begin
ssl = yes
ssl_cert = </etc/sentora/certs/sub.domain.com.crt
ssl_key = </etc/sentora/certs/sub.domain.com.key
 # Disable SSLV3 - Poodle
 ssl_protocols = !SSLv2 !SSLv3
# SSL configuration - End

Restart the dovecot

Code:

systemctl restart dovecot

Test the dovecot…

Code:

telnet localhost 110
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
quit
+OK Logging out
Connection closed by foreign host.

also test the imap (port 143), imaps (port 993) and pop3s (port 995)

When setting up mail clients for hosted domains and if you want to avoid “certificate could not be verified”, you need to set incoming(POP/IMAP) and outgoing(SMTP) server to mail.domain.com (remember OpenSSL subdomain?). You should also set the reverse DNS lookup and postfix config to the same hostname.

Edit postfix file

Code:

vi /etc/postfix/main.cf

Find this line and double check hostname

Code:

myhostname = mail.domain.com

That’s it! Go grab a beer! Cheers.

[adamhk0]

I wonder if it works on centos 6?

[Me.B]

Yep should work with centos 6 as no big change there.

[satriyowibowo]

i got some errors after configuring postfix
can't telnet to port 465 and 587
here is the error

Code:

Dec  5 21:05:44 mailserv postfix/smtpd[1018]: SSL_accept error from localhost[127.0.0.1]: -1
Dec  5 21:05:44 mailserv postfix/smtpd[1018]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s2    3_srvr.c:649:
Dec  5 21:05:44 mailserv postfix/smtpd[1018]: lost connection after CONNECT from localhost[127.0.0.1]
Dec  5 21:05:44 mailserv postfix/smtpd[1018]: disconnect from localhost[127.0.0.1]

and i can't send email to outlook/hotmail email address
the log says

Code:

Dec  5 22:44:55 mailserv postfix/cleanup[3023]: DCFA11429AF: message-id=<005b01d12f73$e3221060$a9663120$@mydomain.com>
Dec  5 22:44:55 mailserv opendkim[31509]: DCFA11429AF: DKIM-Signature field added (s=mail, d=mydomain.com)
Dec  5 22:44:55 mailserv postfix/qmgr[3002]: DCFA11429AF: from=<admin@mydomain.com>, size=5428, nrcpt=1 (queue active)
Dec  5 22:44:57 mailserv postfix/smtp[3024]: DCFA11429AF: to=<clientmail@outlook.com>, relay=mx1.hotmail.com[65.54.188.110]:25, delay=2.9, delays=0.29/0.01/1.5/1.1, dsn=2.0.0, status=sent (250  <005b01d12f73$e3221060$a9663120$@mydomain.com> Queued mail for delivery)
Dec  5 22:44:57 mailserv postfix/qmgr[3002]: DCFA11429AF: removed

[visionix]

hi there good tutorial, I am new here.... Do I have to do it for every domain name that I host on a vps running centos 6?
Also Can I use a self generated certificate?

Thanks

Sorted!!!! LOL

Just installed another VPS with ubuntu....

[Mazerunner04]

Hello,
I started with a fresh installation and followed this guide. It works! Thank you.
However when I test my ports with telnet only 143 and 25 work.
Could someone advise me how to get this working on port 993/587?
Thank you in advance (and yes, I did try google)

Solved: Test 993 with openssl s_client -connect mail.domain.com:993 -quiet
Enabled Port 587 by adding "587 inet n - n - - smtpd" to master.cf of postfix

[usong725]

It seems steps 2 to 10 in creating accounts in startssl.com are not needed anymore.
It is confusing in startssl.com now.
Can you update this part?
Thanks