Hello, I was reading some posts here but I am still confused. I'm not strog on this issues. I have a dedicated server (Fedora8) with a few virtual hosts. I need to secure Postfix-SMTP, Enable TLS encryption to prevent spam sendings from eventual hijackers. The only certificate I have installed is one created by me with Webmin module to access cp via https. I need some basic data on how to start on this, which kind of certificate I need, if it would be enough the free one from startssl.com Thanks a lot in advance.
PS: from startssl.com I have ssl.key(decripted) ssl.crt and ssl.csr<br><br>Post edited by: marciano, at: 2009/05/24 04:53
Howdy,
Well, there is a self-signed certificate installed and setup for you by default within Postfix.
To start using it, you only need enable SMTPS and Submission in Postfix (which use ports 465 and 587).
To do that, you can uncomment the lines described here:
http://www.virtualmin.com/forums/help-home-for-newbies/re:authentication...
When you restart Postfix, you can than configure your email client to use a secure connection with your outgoing SMTP.
If you ever opt to buy a commercial SSL certificate. you can always use that in place of the existing self-signed cert.
-Eric
Hello Eric, thanks for your reply.
At the same time you were posting it I was editing my first one.
Would it be better to use those files from startssl.com than those already installed?
Thank you
(I couldn't edit last post -> O<i>ops! You've hit a bug in the forum software. We already know about the problem. Apologies for the inconvenience.</i>)
So I have to open those port for outbound in my afp firewall...
EG_TCP_CPORTS="21,25,80,443,43,465,587"
UDP too?
No, they're only TCP ports.
I'm not really familiar with startssl certificates. If it's free, then no, there wouldn't really be an advantage to that over what's already available in Postfix.
-Eric
Actually, it looks like they <i>are</i> accepted by browsers. I assume they are chained certificates, similar to the ones GoDaddy and others sell for ten to twenty bucks per year. I dunno. Research would be needed. But they look like actual certificates with real browser support.
--
Check out the forum guidelines!
Eric,
Yes, Postfix has been restarted. From the maillog I also got this:
<i>daemon started -- version 2.5.5, configuration /etc/postfix
May 26 17:16:55 postfix/qmgr[15645]: warning: bounce_queue_lifetime is larger than maximal_queue_lifetime - adjusting bounce_queue_lifetime</i>
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
Can you verify that port 465 is visible externally?
You can try telnet'ing into that port from another system, for example.
-Eric
There's a problem here.
From local
% telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
From outside is the same changing localhost by domain.com
Thank you
Yup, that shouldn't disconnect.
So what shows up in the email log whenever you try connecting like that?
-Eric
warning: No server certs available. TLS won't be enabled
May 27 16:02:58 postfix/smtpd[4117]: connect from unknown[***]
May 27 19:02:58 postfix/smtpd[4117]: warning: Wrapper-mode request dropped from unknown[***] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.
May 27 19:02:58 postfix/smtpd[4117]: disconnect from unknown[***]
It sounds like your Postfix main.cf file may be awry.
You may want to look in there and make sure that the SSL/TLS goodies are setup correctly.
That's normally done for you when installing Virtualmin with the install.sh -- if you installed manually, then those may not be setup yet.
If you aren't certain what's wrong, you could always post your /etc/postfix/main.cf file.
-Eric
Eric,
This file has been modified a few times but I don't remember if it went from Virtualmin installation.
Thank you.
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.5/samples
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail
#mailbox_command = /usr/bin/procmail -t /etc/procmailrc
#mailbox_command = procmail-wrapper -o -a $DOMAIN -d $LOGNAME
#mailbox_command = procmail -a "$EXTENSION"
#mailbox_command = procmail -t /etc/procmailrc
ipc_idle = 10s
notify_classes = resource, software
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
#
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#relayhost = [mail.***.com]
######### from http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-how...
queue_directory = /var/spool/postfix
mail_owner = postfix
data_directory = /var/lib/postfix
#added March 6, 2009
#inet_interfaces = localhost
#inet_protocols = all
proxywrite_service_name = proxywrite
maximal_queue_lifetime = 2d
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
Oh, and before I tear into your config too much, are you running saslauthd?
If not, you need to have that up and running:
/etc/init.d/saslauthd start
You were right, it was not running.
Anyway still errors sending mails in SSL (465)
May 27 22:50:35 postfix/smtpd[686]: warning: No server certs available. TLS won't be enabled
May 27 22:50:35 postfix/smtpd[686]: connect from unknown[***]
May 28 01:50:35 postfix/smtpd[686]: warning: Wrapper-mode request dropped from unknown[***] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.
It looks like you're missing the SSL key/cert.
I have all these set in my config:
[code:1]
# TLS parameters
smtpd_tls_cert_file = /path/to/ssl.cert
smtpd_tls_key_file = /path/to/ssl.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
[/code:1]
I understand what you say.
Just another thought.
Is it possible to limit the amount of sending mail to external servers, let's say 100/hour, for every user (but 'newsletter' user)?
Would it be possible to, at least, drastically slow down possible junk deliveries?
I check a report I receive each 12 hours with added or changed file in /home /etc /usr and /tmp so I can detect scripts hijackers may put in here.
I think that in the worst case one thousand of spam mails would be sent during this period instead of several thousands until I discover the harmful script.
What do you think?
Thanks for your time Eric.
... and inbound
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,10000,20000,30000_32000,465,587"
I also have added these lines to master.cf
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
As I understand this is a secure way to send mail from client. Isn't it?
Actually I want to prevent any stranger script to send bulk mail using mail() from a php script or something similar.
Anyway, after performing those changes in master.cf and conf.apf (restarted both)
I've set my client SMTP server (Thunderbird mail) to SSL and port 465. Then I get:
<i>The server is refusing SMTP connections</i>
Returning to 'TLS if available' sendings go well.
Thank you both Joe and Eric
So you said you restarted Postfix after making those changes to the master.cf file?
If you log in over SSH, and type "netstat -an | grep :465" -- do you get any output?
Enabling the above allows remote clients to securely connect to your server, over both an authenticated and encrypted connection, to send email.
-Eric
Ah, that went okay. Thanks!
I am looking both received test mail headers sent with and w/o ssl
The noticeable thing was that mail sent with cert does not content spamassassin filtering headers like the other sent without cert.
<i>X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
cl-t102-130cl.privatedns.com
X-Spam-Level:
X-Spam-Status: No, score=-104.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
HTML_MESSAGE,MIME_HTML_MOSTLY,USER_IN_WHITELIST autolearn=ham version=3.2.5</i>
Do I care about this?
And back to my first post.
Is it possible to force every user to send mail using ssl?
Does it worth to prevent massive spam sending from a strange script (php, cgi or other)?
Or there's another way to prevent this devil?
Thanks again.
<div class='quote'>Is it possible to force every user to send mail using ssl?</div>
Is it possible? I dunno, maybe :-)
Would this be reasonable?
Probably not :-)
Too many things rely on email being available without authentication. Cron, for example. Also, any PHP app that uses the mail() function would likely break (which is quite a bunch of them).
And plus, it doesn't prevent an attacker from hijacking an app that does authenticate, and using that to send out their spam.
I think the simpler and more scalable way of solving that is to just keep your system security updates recent, and make sure that web apps running on your server are all up to date as well :-)
-Eric
Another related question.
Squirrelmail was installed before Virtualmin installation so it isn't listed in virtual hosts.
I also want to force users to login with ssl.
Lot of forums I've read mention a file ssl.conf I do not have in /etc/httpd/conf.d
I made a try using the same crt and key files as SSL for SMTP
I changed 80 by 443 and added the ssl module
<VirtualHost *:443>
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>
....
and restarted httpd
Going to https://mail.domain.com I got error 404
Is there something missing/wrong?
Thanks again!
I'm not super-familiar with the ins and outs of rate limiting. You have some options there, but they aren't all that flexible as of yet.
Here's some ideas to get you started:
http://www.irbs.net/internet/postfix/0809/0160.html
Regarding SSL -- it's hard to say what the exact problem is, since now you have a variety of Virtualmin and non-Virtualmin created VirtualHosts.
But, you may be missing a ServerName in that config. Also, using a * in the VirtualHost config can cause trouble, you'd probably be better off explicitely setting an IP address.
More on all that here:
http://www.virtualmin.com/documentation/id,troubleshooting_common_proble...
ServerName exist but I didn't post it.
I'm not strong on this issues.
Tell me please if I am right.
In Virtualmin Apache Networking and Protocols
***.***.***.***:80
Listen on addresses and ports
All -- 80 (Listen *:80)
All -- 443 (Listen *:443)
Virtual host for squirrelmail
<VirtualHost ***.***.***.***:443>
ServerName mail.domain.com
ServerAdmin me@gmail.com
ServerAlias ......lot of them......
<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>
DocumentRoot /usr/share/squirrelmail
ErrorLog /home/squirrelmail/logs/error_log
CustomLog /home/squirrelmail/logs/access_log common
</VirtualHost>
From FFox at https://mail.domain.com
<i>Data Transfer Interrupted
The connection to mail.domain.com was interrupted while the page was loading.
The browser connected successfully, but the connection was interrupted while transferring information. Please try again.</i>
I suspect for something about certificate. Must it be public?
What do you think?
Thank you.
Two things --
First, anywhere you see *:80 or *:443, I'd change it to x.y.z.q:80 and x.y.z.q:443 -- using your IP address rather than a *. That includes the "Listen" sections mentioned above.
Second, it looks like you have two SSLCertificateFile lines mentioned above. I see both:
[code:1]
SSLCertificateFile /path/to/ssl.crt
SSLCACertificateFile /path/to/ca.pem
[/code:1]
I suspect the first is the one you want, I'd comment the second out.
-Eric
Oh whoops, those aren't the same things!
They looked the same at first glance :-)
Okay, so ignore my second batch of advice.
If you restart Apache, do you see any errors in the error log regarding the SSL certificates?
Also, when attempting to connect to your site, do any errors show up?
-Eric
Yes, I had substituted all * before the ports but listenings (VMin put them in that way)
How can I set it (t.x.y.z) by default in Virtualmin?
I mean <virtualhost t.x.y.z:80> instead of *:80
From httpd/error_log (this is when restarting apache)
[Fri May 29 15:36:00 2009] [notice] caught SIGTERM, shutting down
[Fri May 29 15:36:01 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri May 29 15:36:01 2009] [notice] Digest: generating secret for digest authentication ...
[Fri May 29 15:36:01 2009] [notice] Digest: done
[Fri May 29 15:36:01 2009] [notice] Apache/2.2.9 (Unix) PHP/5.2.6 configured -- resuming normal operations
And from the mail.domain.com (squirrelmail) error log these irrelevant records
[Thu May 28 16:01:19 2009] [error] [client 190.64.58.204] File does not exist: /usr/share/squirrelmail/favicon.ico
[Fri May 29 07:33:27 2009] [error] [client 216.129.119.44] File does not exist: /usr/share/squirrelmail/robots.txt
Thank you
Well, Virtualmin uses the IP address by default -- if there is a * in there, it's a remnant from before Virtualmin got there ;-)
As far as the error logs go -- yeah, that all looks fine.
If it's not working, I'd double-check all of your SSL files/settings.
-Eric
Mmmm. I don't see ssl module loaded in httpd.conf
Apache 2.2.9 seems to not have this module
I only found
/usr/libexec/webmin/apache/mod_ssl.pl
/usr/lib/libssl.a
/usr/lib/libssl.so
/usr/lib/libssl3.so
/lib/libssl.so.0.9.8b
/lib/libssl.so.6
Thanks.
Well, I have installed mod_ssl from webmin.
The things are getting worse, well, different at least.
<i>I had to comment out Listen 443 because of
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs</i>
A new virtual host was created
<i>'Processes all requests not handled by other virtual servers.'</i>
over port 443 that causes overlapping
<i>Starting httpd: [Fri May 29 18:30:51 2009] [warn] _default_ VirtualHost overlap on port 443, the first has precedence</i>
Sorry, the 'new' host was my fault
Moving the things from httpd.conf to the new ssl.conf,
here its content
<i>
LoadModule ssl_module modules/mod_ssl.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost **.**.**.**:443>
ServerName mail.domain.com
DocumentRoot /usr/share/squirrelmail
ErrorLog /home/squirrelmail/logs/error_log
CustomLog /home/squirrelmail/logs/access_log common
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory /usr/share/squirrelmail/var/www/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</i>
I am checking here http://www.digicert.com/help/index.htm
how things are going.
I first left those certs at /etc/pki and couldn't connect
Then I used those uncommented at /path/to...
<i>http://www.digicert.com/help/index.htm</i>
Moving the things from httpd.conf to the new ssl.conf,
here its content
<i>
LoadModule ssl_module modules/mod_ssl.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost **.**.**.**:443>
ServerName mail.domain.com
DocumentRoot /usr/share/squirrelmail
ErrorLog /home/squirrelmail/logs/error_log
CustomLog /home/squirrelmail/logs/access_log common
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory /usr/share/squirrelmail/var/www/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</i>
I am checking here http://www.digicert.com/help/index.htm
how things are going.
I first left those certs at /etc/pki and couldn't connect
Then I used those uncommented at /path/to...
<i>http://www.digicert.com/help/index.htm</i>
#openssl s_client -connect localhost:443 -state -debug
socket: Connection refused
<i>connect:errno=29</i>
It seems it is a domain issue inside the certificate
After restarting Apache, error_log of mail.domain.com displays twice.
<i>[Fri May 29 19:52:49 2009] [warn] RSA server certificate CommonName (CN) `mail.domain.com' does NOT match server name!?
[Fri May 29 19:52:49 2009] [warn] RSA server certificate CommonName (CN) `mail.domain.com' does NOT match server name!?</i>
I created new cert & key for exactly mail.domain.com
I don't get these errors anymore but I still cannot connect to ssl
Help please!
Halleluja!!
That Listen 443 was in fault placed in httpd.conf
It has to be moved to ssl.conf
Thanks a lot!!!