Support for Email Server TLS encryption on Sentora?

[americanninja]

So I noticed Google is now displaying broken lock icons on emails that are sent by email servers not using TLS encryption. As this was just rolled out, most users won't notice it, but soon they will. Currently, all email sent out by my Sentora managed server are coming into my gmail client with this broken icon, so I assume the server is not configured with TLS encryption. Is there any easy way to just turn this on?

You can read more about this on Google's website here:
https://www.google.com/transparencyrepor...tls/?hl=en
http://gmailblog.blogspot.jp/2016/02/mak...ed-by.html

[Me.B]

Nope this have nothing to do with TLS! This is over SSL. As depend on your navigator preference. If you are paranoid and enforce SSL you will break non-SSL calls. So that will apply for your browser on gmail and have nothing with TLS wich is another issue, that we may offer soon.

We are working on SSL implementation already.

[americanninja]

Really? It seems this is referring to TLS. It doesn't say anything about SSL.

When you see the red unlocked padlock in your gmail message, you can click the learn more link. Which will take you here: https://support.google.com/mail/answer/6...hl=en&rd=1

Based on the Google support page, it's just stating that your email server is sending out the email without using TLS. So I guess I just gotta enable it on my server?

Actually, while doing some more searching, I actually came across this Sentora forum post. http://forums.sentora.org/showthread.php?tid=46
So perhaps if I just follow this, then my emails will be sent out with TLS and then the unsecure icon in gmail will no longer display when I send my email to people?

[Me.B]

Not a major issue... Any way SSL and then TLS in the pipes.

I understood broken icon...  Never got that on my Google Apps account.

Any way once we nail SSL on apache we may look over TLS as it will be easier.

See here we are moving over that.
http://forums.sentora.org/showthread.php?tid=2586

[americanninja]

Thank you Me.B. Yeah, actually I just noticed it on gmail yesterday. It seems Google just launched this feature sometime this week. So maybe you haven't received an email from a server not using TLS.

Anyway, I gave it a bit more searching and I came across this site:

http://xmodulo.com/secure-mail-server-us...ption.html

I just followed the instructions under the "Enable TLS Encryption for Postfix". It was actually quite simple. Just created a self cert, modified the main.cf file and then restarting postfix. Just tested my server to send an outbound email to my gmail account and no more padlock. Looks like emails are now being encrypted.

Well, anyway, in case anyone finds this thread while searching Google, they will know how to fix it. I will copy and paste the instructions below. If there is anything incorrect in there, let me know so I can fix what I did to my server.

Thanks!


Enable TLS Encryption for Postfix
A self-signed certificate can be created with the following command.

# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/postfixcert.pem -keyout /etc/ssl/private/postfixkey.pem
The above command requests a new certificate which is of type X.509, and remains valid for 365 days. The optional -nodes parameter specifies that the private key should not be encrypted. An output certificate file is saved as postfixcert.pem, and an output key file as postfixkey.pem .

All necessary values for the certificate can be given:

Code:

Country Name (2 letter code) [AU]:BD
State or Province Name (full name) [Some-State]:Dhaka
Locality Name (eg, city) []:Dhaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:Example.tst
Common Name (e.g. server FQDN or YOUR name) []:mail.example.tst
Email Address []:sarmed@example.tst
Now that the certificate is ready, necessary parameters are adjusted in postfix configuration file.

root@mail:~# vim /etc/postfix/main.cf
### STARTTLS is enabled ###
smtpd_tls_security_level = may

smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes

### loglevel 3 should be used while troubleshooting ###
smtpd_tls_loglevel = 1

### path to certificate and key file
smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem
smtpd_use_tls=yes
Restart postfix to enable TLS.

root@mail:~# service postfix restart
At this point, postfix is ready to encrypt data to and from the server. More details about Postfix TLS support can be found in their official README.

[Me.B]

You can use let's encrypt for postfix too.

M B

[bluephantom]

you need configure webmail too, by default roudcube is not allowing tls

Code:

nano /etc/sentora/panel/etc/apps/webmail/config/config.inc.php

and change this code

Code:

// ----------------------------------
// SMTP
// ----------------------------------
$config['smtp_server'] = 'tls://127.0.0.1'; //Default was ''

thanks.

[americanninja]

you need configure webmail too, by default roudcube is not allowing tls

Code:

nano /etc/sentora/panel/etc/apps/webmail/config/config.inc.php

and change this code

Code:

// ----------------------------------
// SMTP
// ----------------------------------
$config['smtp_server'] = 'tls://127.0.0.1'; //Default was ''

thanks.

Thanks for contributing Bluephantom! I have added this change to my web server. I don't use roundcube, so I probably wouldn't have noticed it. But this is definitely helpful for others!

Thanks again!

[Qtech]

Do you have to create a certificate for each domain on sentora? If so how will Certbot work? Any tried using Let's Encrypt.

It would be so cool if this built into Sentora.

[zanga]

You can use let's encrypt for postfix too.

M B

Could you please give more details ?