HI,
INFORMATION Virtualmin 4.01 Pro Operating system = CentOS Linux 6.4 x64 Postfix version = 2.6.6 Dovecot version = 2.0.9
I am trying to figure out and understand a lot more about how Postfix and dovecot work still and what a lot of the options in virtualmin mean and do. But I'm stuck.
I want to have some sort of security on SMTP instead of just plaintext, SSL/TLS would be nice. I have a wildcard certificate for my domain as well.
Can anyone help me out here? I'm really interested in learning more in unix and all these services and how things work.
I've attached a screen shot of Thunderbird auto configure attempt, the settings listed in the screenshot are the same ones my iPhone uses (It tells me can't connect with SSL for SMTP).
Any advice would be greatly appreciated. Thanks in advanced.
You need to do three things to use SSL with Postfix. First, edit
/etc/postfix/master.cf
and remove the comments ("#") from the "smtps" line and following -o lines. Then, upload your certificate and key to a location of your choice, in this example/etc/postfix/mycert
. Then, edit/etc/postfix/main.cf
and add/uncomment these lines:Requiring SMTPS is not a good idea, because remote mailservers will always try to deliver non-SSL on port 25 when they have mail for you. Except you run a mailserver only for your local users to send out mail. In that case, it'd be easiest to block access to port 25.
Hi,
Thank you! I'll try these out and see how bad I break things :) (just kidding of course, I hope)
[EDIT]
Okay, the master.cf file is confusing me, I am visually impaired so I may have missed it but I'm not sure exactly what I'm supposed to uncomment...
My master.cf file: http://pastebin.com/searCK13
Just to verify I did enable correctly: My main.cf file: http://pastebin.com/JCjsJw6i
Ah, it seems SMTPS is already enabled on your system in the master.cf but is missing some parameters. I'll post what the block looks like on my system, if you have problems you can change it like so:
Okay I think I get it,
line 17
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
needs to become
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Right?
Thanks again :) (when I was adding my wildcard cert I clicked copy to postfix and dovecot if that makes difference)
Actually I'm not sure if those lines starting with "-o" need to be on separate lines. It's possible that you can leave it like it is for you now, if those lines contain the same things on your system, just without linebreaks. You might wanna make the other changes and see if it works. :)
I'm not sure if the "Copy to Postfix" button does the full SSL config bits for you if the required directives are not in the config files yet, or if it just copies the certificate files. You can try that out, and compare what Webmin does for you with the lines I posted.
Thanks,
I went to my iPhone and under the SMTP server I turned SSL on and it verified just fine so I do believe virtualmin got it right. :D
Thank you so much!
Okidoki, great that it's working for you!
Hello,
I've got the same problem and can't get it to work.
The beginning of the master.cf :
smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
smtp inet n - - - 1 postscreen
smtpd pass - - - - - smtpd
dnsblog unix - - - - 0 dnsblog
tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Is there something wrong?
I copied the certificate by the button "copy to postfix". The cert files are in the correct directory as set in my main.cf :
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Has anyone an idea?
Do you have wildcard SSL? If not then you must buy one in order to work. Please next time open a new topic as there is no point in necroing 3 year old topic.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
The certificate is by "Let's Encrypt". It's not a wildcard but it includes the mail subdomain.
Ok next time I will create a new topic.
Check if this helps you with your problem
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_use_tls = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, TLSv1, TLSv1.1, TLSv1.2
smtpd_tls_mandatory_ciphers = high
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Unfortunately not :(
It could be something wrong with LE. Can you check your domain (not subdomain, e.g. mail.domain.tld) with https://www.ssllabs.com/ssltest/ and see what you get.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
There are several things incorrect:
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 2 INSECURE Yes
SSL 2 No
(2) This site requires support for virtual secure hosting (SNI), but SSL 2 and SSL 3 do not support this feature.
Cipher Suites (sorted by strength as the server has no preference; deprecated and SSL 2 suites at the end)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS 112
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_RSA_WITH_SEED_CBC_SHA (0x96) 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) ECDH secp256r1 (eq. 3072 bits RSA) FS INSECURE 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
Handshake Simulation
Android 2.3.7 No SNI 2 Incorrect certificate because this client doesn't support SNI
RSA 4096 (SHA256) | TLS 1.0 | TLS_RSA_WITH_RC4_128_SHA
Android 4.0.4 RSA 4096 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 4.1.1 RSA 4096 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 4.2.2 RSA 4096 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 4.3 RSA 4096 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 4.4.2 RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 5.0.0 RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 6.0 RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Baidu Jan 2015 RSA 4096 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
BingPreview Jan 2015 RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Chrome 51 / Win 7 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
Firefox 31.3.0 ESR / Win 7 RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
Firefox 45 / Win 7 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
Firefox 46 / Win 7 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
Googlebot Feb 2015 RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH secp256r1 FS RC4
IE 6 / XP No FS 1 No SNI 2 Incorrect certificate because this client doesn't support SNI
RSA 4096 (SHA256) | SSL 3 | TLS_RSA_WITH_RC4_128_SHA
IE 7 / Vista RSA 4096 (SHA256) TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 8 / XP No FS 1 No SNI 2 Incorrect certificate because this client doesn't support SNI
RSA 4096 (SHA256) | TLS 1.0 | TLS_RSA_WITH_RC4_128_SHA
IE 8-10 / Win 7 R RSA 4096 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
IE 11 / Win 7 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
IE 11 / Win 8.1 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
IE 10 / Win Phone 8.0 RSA 4096 (SHA256) TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 11 / Win Phone 8.1 R RSA 4096 (SHA256) TLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA256 No FS
IE 11 / Win Phone 8.1 Update R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
IE 11 / Win 10 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Edge 13 / Win 10 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Edge 13 / Win Phone 10 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Java 6u45 No SNI 2 Incorrect certificate because this client doesn't support SNI
RSA 4096 (SHA256) | TLS 1.0 | TLS_RSA_WITH_RC4_128_SHA
Java 7u25 RSA 4096 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
Java 8u31 RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS
OpenSSL 0.9.8y RSA 4096 (SHA256) TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA No FS
OpenSSL 1.0.1l R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
OpenSSL 1.0.2e R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Safari 5.1.9 / OS X 10.6.8 RSA 4096 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
Safari 6 / iOS 6.0.1 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Safari 6.0.4 / OS X 10.8.4 R RSA 4096 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Safari 7 / iOS 7.1 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Safari 7 / OS X 10.9 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Safari 8 / iOS 8.4 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Safari 8 / OS X 10.10 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Safari 9 / iOS 9 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Safari 9 / OS X 10.11 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Apple ATS 9 / iOS 9 R RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
Yahoo Slurp Jan 2015 RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
YandexBot Jan 2015 RSA 4096 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
Protocol Details
DROWN (experimental) No, server keys and hostname not seen elsewhere with SSLv2
(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN test here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Not mitigated server-side (more info) SSL 3: 0xa, TLS 1.0: 0xa
POODLE (SSLv3) Vulnerable INSECURE (more info) SSL 3: 0xa
POODLE (TLS) No (more info)
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info)
SSL/TLS compression No
RC4 Yes INSECURE (more info)
Heartbeat (extension) Yes
Heartbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107) No (more info)
Forward Secrecy With some browsers (more info)
ALPN No
NPN No
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling No
Strict Transport Security (HSTS) No
HSTS Preloading Not in: Chrome Edge Firefox IE Tor
Public Key Pinning (HPKP) No
Public Key Pinning Report-Only No
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance No
Incorrect SNI alerts No
Uses common DH primes No, DHE suites not supported
DH public server param (Ys) reuse No, DHE suites not supported
SSL 2 handshake compatibility Yes
Fix the errors first, then go to manage SSL while selecting the primary domain (one delegated to host virtualmin) and click copy certificate. Make sure to backup your settings and that there was a valid SSL certificate loaded. Sometimes, you need to manually update the copies that Virtualmin and Webmin get if you are using Lets Encrypt
Visit me at coderinthebox.com
First for your security you should eliminate this problems. Anything aside old android, IE6 and 8 on XP should not be there. Did you even get to rating C or D? Check this two topics https://www.virtualmin.com/node/41221 and https://www.virtualmin.com/node/41333 they should have more than enough info to sort this problem.
For your postfix it should work if you didnt manually edit some files and in the process set something wrong. Check if you have installed CA certificate because based on your main.cf it is missing. I dont know much about LE and to be honest i would not touch that with 2 mile long stick but it seems like postfix configuration problem or SSL didnt install properly. What OS is that? If previous suggestion didnt help can you remove old SSL and request/install new one?
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.