In this tutorial, Carla Schroder explains how to protect your Postfix/Dovecot mail server with OpenSSL.[Creative Commons Zero][1]Pixabay
[Last week][11], as part of our meandering OpenSSL series, we learned how to configure Apache to use OpenSSL and to force all sessions to use HTTPS. Today, we'll protect our Postfix/Dovecot mail server with OpenSSL. The examples build on the previous tutorials; see the Resources section at the end for links to all previous tutorials in this series.
You will have to configure both Postfix and Dovecot to use OpenSSL, and we'll use the key and certificate that we created in[OpenSSL For Apache and Dovecot][12].
### Postfix Configuration
You must edit`/etc/postfix/main.cf`and`/etc/postfix/master.cf`. The`main.cf`example is the complete configuration, building on our previous tutorials. Substitute your own OpenSSL key and certificate names, and local network:
In our previous tutorials we made a single configuration file for Dovecot,`/etc/dovecot/dovecot.conf`, rather than using the default giant herd of multiple configuration files. This is a complete configuration that builds on our previous tutorials. Again, use your own OpenSSL key and certificate, and your own`userdb`home file:
Now we can test our setup by sending a message with telnet, just like we did before. But wait, you say, telnet does not support TLS/SSL, so how can this be so? By opening an encrypted session with`openssl s_client`first is how. The`openssl s_client`output will display your certificate, fingerprint, and a ton of other information so you'll know that your server is using the correct certificate. Commands that you type after the session is established are in bold:
Hello, we are testing TLS/SSL. Looking good so far.
.
250 2.0.0 Ok: queued as B9B529FE59
quit
221 2.0.0 Bye
```
You should see a new message in your mail client, and it will ask you to verify your SSL certificate when you open it. You may also use`openssl s_client`to test your Dovecot POP3 and IMAP services. This example tests encrypted POP3, and message #5 is the one we created in telnet (above):
```
$ openssl s_client -connect studio:995
CONNECTED(00000003)
[masses of output snipped]
Verify return code: 0 (ok)
---
+OK Dovecot ready
user alrac@studio
+OK
pass password
+OK Logged in.
list
+OK 5 messages:
1 499
2 504
3 514
4 513
5 565
.
retr 5
+OK 565 octets
Return-Path: <carla@domain.com>
Delivered-To: alrac@studio
Received: from localhost
by studio.alrac.net (Dovecot) with LMTP id y8G5C8aablgKIQAAYelYQA
for <alrac@studio>; Thu, 05 Jan 2017 11:13:10 -0800
Received: from studio (localhost [127.0.0.1])
by localhost (Postfix) with ESMTPS id B9B529FE59
for <alrac@studio>; Thu, 5 Jan 2017 11:12:13 -0800 (PST)
subject: TLS/SSL test
Message-Id: <20170105191240.B9B529FE59@localhost>
Date: Thu, 5 Jan 2017 11:12:13 -0800 (PST)
From: carla@domain.com
Hello, we are testing TLS/SSL. Looking good so far.
.
quit
+OK Logging out.
closed
```
### Now What?
Now you have a nice functioning mail server with proper TLS/SSL protection. I encourage you to study Postfix and Dovecot in-depth; the examples in these tutorials are as simple as I could make them, and don't include fine-tuning for security, anti-virus scanners, spam filters, or any other advanced functionality. I think it's easier to learn the advanced features when you have a basic working system to use.
Come back next week for an openSUSE package management cheat sheet.
### Resources
* [OpenSSL For Apache and Dovecot][3]
* [How to Build an Email Server on Ubuntu Linux][4]
* [Building an Email Server on Ubuntu Linux, Part 2][5]
* [Building an Email Server on Ubuntu Linux, Part 3][6]
* [Apache on Ubuntu Linux For Beginners][7]
* [Apache on Ubuntu Linux For Beginners: Part 2][8]
