Enabling (and maybe requiring) SSL/TLS for SMTP server?

17 posts / 0 new
Last post
#1 Sat, 08/10/2013 - 15:45
ReArmedHalo

Enabling (and maybe requiring) SSL/TLS for SMTP server?

HI,

INFORMATION Virtualmin 4.01 Pro Operating system = CentOS Linux 6.4 x64 Postfix version = 2.6.6 Dovecot version = 2.0.9

I am trying to figure out and understand a lot more about how Postfix and dovecot work still and what a lot of the options in virtualmin mean and do. But I'm stuck.

I want to have some sort of security on SMTP instead of just plaintext, SSL/TLS would be nice. I have a wildcard certificate for my domain as well.

Can anyone help me out here? I'm really interested in learning more in unix and all these services and how things work.

I've attached a screen shot of Thunderbird auto configure attempt, the settings listed in the screenshot are the same ones my iPhone uses (It tells me can't connect with SSL for SMTP).

Any advice would be greatly appreciated. Thanks in advanced.

Sun, 08/11/2013 - 14:01
Locutus

You need to do three things to use SSL with Postfix. First, edit /etc/postfix/master.cf and remove the comments ("#") from the "smtps" line and following -o lines. Then, upload your certificate and key to a location of your choice, in this example /etc/postfix/mycert. Then, edit /etc/postfix/main.cf and add/uncomment these lines:

smtpd_tls_cert_file = /etc/postfix/mycert.crt
smtpd_tls_key_file = /etc/postfix/mycert.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Requiring SMTPS is not a good idea, because remote mailservers will always try to deliver non-SSL on port 25 when they have mail for you. Except you run a mailserver only for your local users to send out mail. In that case, it'd be easiest to block access to port 25.

Mon, 08/12/2013 - 11:05 (Reply to #2)
ReArmedHalo

Hi,

Thank you! I'll try these out and see how bad I break things :) (just kidding of course, I hope)

[EDIT]

Okay, the master.cf file is confusing me, I am visually impaired so I may have missed it but I'm not sure exactly what I'm supposed to uncomment...

My master.cf file: http://pastebin.com/searCK13

Just to verify I did enable correctly: My main.cf file: http://pastebin.com/JCjsJw6i

Mon, 08/12/2013 - 10:53
Locutus

Ah, it seems SMTPS is already enabled on your system in the master.cf but is missing some parameters. I'll post what the block looks like on my system, if you have problems you can change it like so:

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
Mon, 08/12/2013 - 11:12 (Reply to #4)
ReArmedHalo

Okay I think I get it,

line 17

smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING

needs to become

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Right?

Thanks again :) (when I was adding my wildcard cert I clicked copy to postfix and dovecot if that makes difference)

Mon, 08/12/2013 - 14:03
Locutus

Actually I'm not sure if those lines starting with "-o" need to be on separate lines. It's possible that you can leave it like it is for you now, if those lines contain the same things on your system, just without linebreaks. You might wanna make the other changes and see if it works. :)

I'm not sure if the "Copy to Postfix" button does the full SSL config bits for you if the required directives are not in the config files yet, or if it just copies the certificate files. You can try that out, and compare what Webmin does for you with the lines I posted.

Mon, 08/12/2013 - 14:07 (Reply to #6)
ReArmedHalo

Thanks,

I went to my iPhone and under the SMTP server I turned SSL on and it verified just fine so I do believe virtualmin got it right. :D

Thank you so much!

Mon, 08/12/2013 - 14:15
Locutus

Okidoki, great that it's working for you!

Tue, 07/19/2016 - 15:00
snake

Hello,

I've got the same problem and can't get it to work.

The beginning of the master.cf :

smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd
dnsblog   unix  -       -       -       -       0       dnsblog
tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

Is there something wrong?

I copied the certificate by the button "copy to postfix". The cert files are in the correct directory as set in my main.cf :

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Has anyone an idea?

Tue, 07/19/2016 - 15:59
Diabolico
Diabolico's picture

Do you have wildcard SSL? If not then you must buy one in order to work. Please next time open a new topic as there is no point in necroing 3 year old topic.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 07/20/2016 - 13:56 (Reply to #10)
snake

The certificate is by "Let's Encrypt". It's not a wildcard but it includes the mail subdomain.

Ok next time I will create a new topic.

Wed, 07/20/2016 - 14:13
Diabolico
Diabolico's picture

Check if this helps you with your problem

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_use_tls = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, TLSv1, TLSv1.1, TLSv1.2
smtpd_tls_mandatory_ciphers = high

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 07/20/2016 - 14:51 (Reply to #12)
snake

Unfortunately not :(

Wed, 07/20/2016 - 15:09
Diabolico
Diabolico's picture

It could be something wrong with LE. Can you check your domain (not subdomain, e.g. mail.domain.tld) with https://www.ssllabs.com/ssltest/ and see what you get.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 07/20/2016 - 16:16 (Reply to #14)
snake

There are several things incorrect:

Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 2   INSECURE Yes
SSL 2 No
(2) This site requires support for virtual secure hosting (SNI), but SSL 2 and SSL 3 do not support this feature.


Cipher Suites (sorted by strength as the server has no preference; deprecated and SSL 2 suites at the end)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 112
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_RSA_WITH_SEED_CBC_SHA (0x96) 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   INSECURE 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256


Handshake Simulation
Android 2.3.7   No SNI 2 Incorrect certificate because this client doesn't support SNI
RSA 4096 (SHA256)   |  TLS 1.0  |  TLS_RSA_WITH_RC4_128_SHA
Android 4.0.4 RSA 4096 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 4.1.1 RSA 4096 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 4.2.2 RSA 4096 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 4.3 RSA 4096 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 4.4.2 RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 5.0.0 RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Android 6.0 RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Baidu Jan 2015 RSA 4096 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
BingPreview Jan 2015 RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Chrome 51 / Win 7  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Firefox 31.3.0 ESR / Win 7 RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Firefox 45 / Win 7  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Firefox 46 / Win 7  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Googlebot Feb 2015 RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_RC4_128_SHA   ECDH secp256r1  FS  RC4
IE 6 / XP   No FS 1   No SNI 2 Incorrect certificate because this client doesn't support SNI
RSA 4096 (SHA256)   |  SSL 3  |  TLS_RSA_WITH_RC4_128_SHA
IE 7 / Vista RSA 4096 (SHA256)   TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA  No FS
IE 8 / XP   No FS 1   No SNI 2 Incorrect certificate because this client doesn't support SNI
RSA 4096 (SHA256)   |  TLS 1.0  |  TLS_RSA_WITH_RC4_128_SHA
IE 8-10 / Win 7  R RSA 4096 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 7  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win 8.1  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 10 / Win Phone 8.0 RSA 4096 (SHA256)   TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA  No FS
IE 11 / Win Phone 8.1  R RSA 4096 (SHA256)   TLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA256  No FS
IE 11 / Win Phone 8.1 Update  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win 10  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Edge 13 / Win 10  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Edge 13 / Win Phone 10  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Java 6u45   No SNI 2 Incorrect certificate because this client doesn't support SNI
RSA 4096 (SHA256)   |  TLS 1.0  |  TLS_RSA_WITH_RC4_128_SHA
Java 7u25 RSA 4096 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Java 8u31 RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp256r1  FS
OpenSSL 0.9.8y RSA 4096 (SHA256)   TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA  No FS
OpenSSL 1.0.1l  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
OpenSSL 1.0.2e  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 5.1.9 / OS X 10.6.8 RSA 4096 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 6 / iOS 6.0.1  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 6.0.4 / OS X 10.8.4  R RSA 4096 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Safari 7 / iOS 7.1  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 7 / OS X 10.9  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 8 / iOS 8.4  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 8 / OS X 10.10  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 9 / iOS 9  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 9 / OS X 10.11  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Apple ATS 9 / iOS 9  R RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Yahoo Slurp Jan 2015 RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
YandexBot Jan 2015 RSA 4096 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).


Protocol Details
DROWN (experimental) No, server keys and hostname not seen elsewhere with SSLv2
(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN test here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Not mitigated server-side (more info)   SSL 3: 0xa, TLS 1.0: 0xa
POODLE (SSLv3) Vulnerable   INSECURE (more info)   SSL 3: 0xa
POODLE (TLS) No (more info)
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info)
SSL/TLS compression No
RC4 Yes   INSECURE (more info)
Heartbeat (extension) Yes
Heartbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107) No (more info)
Forward Secrecy With some browsers (more info)
ALPN No
NPN No
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling No
Strict Transport Security (HSTS) No
HSTS Preloading Not in: Chrome  Edge  Firefox  IE  Tor
Public Key Pinning (HPKP) No
Public Key Pinning Report-Only No
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance No
Incorrect SNI alerts No
Uses common DH primes No, DHE suites not supported
DH public server param (Ys) reuse No, DHE suites not supported
SSL 2 handshake compatibility Yes
Wed, 07/20/2016 - 22:47 (Reply to #15)
coderinthebox

Fix the errors first, then go to manage SSL while selecting the primary domain (one delegated to host virtualmin) and click copy certificate. Make sure to backup your settings and that there was a valid SSL certificate loaded. Sometimes, you need to manually update the copies that Virtualmin and Webmin get if you are using Lets Encrypt

Visit me at coderinthebox.com

Wed, 07/20/2016 - 19:19
Diabolico
Diabolico's picture

First for your security you should eliminate this problems. Anything aside old android, IE6 and 8 on XP should not be there. Did you even get to rating C or D? Check this two topics https://www.virtualmin.com/node/41221 and https://www.virtualmin.com/node/41333 they should have more than enough info to sort this problem.

For your postfix it should work if you didnt manually edit some files and in the process set something wrong. Check if you have installed CA certificate because based on your main.cf it is missing. I dont know much about LE and to be honest i would not touch that with 2 mile long stick but it seems like postfix configuration problem or SSL didnt install properly. What OS is that? If previous suggestion didnt help can you remove old SSL and request/install new one?

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Topic locked