diff --git a/sources/tech/20170112 OpenSSL For Apache and Dovecot Part 2.md b/sources/tech/20170112 OpenSSL For Apache and Dovecot Part 2.md new file mode 100644 index 0000000000..da26065cd4 --- /dev/null +++ b/sources/tech/20170112 OpenSSL For Apache and Dovecot Part 2.md @@ -0,0 +1,241 @@ +OpenSSL For Apache and Dovecot: Part 2 +============================================================ + + ![OpenSSL](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/key-openssl_0.jpg?itok=FDO3qAOt "OpenSSL") +In this tutorial, Carla Schroder explains how to protect your Postfix/Dovecot mail server with OpenSSL.[Creative Commons Zero][1]Pixabay + +[Last week][11], as part of our meandering OpenSSL series, we learned how to configure Apache to use OpenSSL and to force all sessions to use HTTPS. Today, we'll protect our Postfix/Dovecot mail server with OpenSSL. The examples build on the previous tutorials; see the Resources section at the end for links to all previous tutorials in this series. + +You will have to configure both Postfix and Dovecot to use OpenSSL, and we'll use the key and certificate that we created in [OpenSSL For Apache and Dovecot ][12]. + +### Postfix Configuration + +You must edit `/etc/postfix/main.cf` and `/etc/postfix/master.cf`. The `main.cf`example is the complete configuration, building on our previous tutorials. Substitute your own OpenSSL key and certificate names, and local network: + +``` +compatibility_level=2 +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu/GNU) +biff = no +append_dot_mydomain = no + +myhostname = localhost +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = $myhostname +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all + +virtual_mailbox_domains = /etc/postfix/vhosts.txt +virtual_mailbox_base = /home/vmail +virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt +virtual_minimum_uid = 1000 +virtual_uid_maps = static:5000 +virtual_gid_maps = static:5000 +virtual_transport = lmtp:unix:private/dovecot-lmtp + +smtpd_tls_cert_file=/etc/ssl/certs/test-com.pem +smtpd_tls_key_file=/etc/ssl/private/test-com.key +smtpd_use_tls=yes + +smtpd_sasl_auth_enable = yes +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth +smtpd_sasl_authenticated_header = yes +``` + +In `master.cf` un-comment the following lines in the `submission inet` section, and edit `smtpd_recipient_restrictions` as shown: + +``` +#submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o milter_macro_daemon_name=ORIGINATING + -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + -o smtpd_tls_wrappermode=no +``` + +Reload Postfix and you're finished: + +``` +$ sudo service postfix reload +``` + +### Dovecot Configuration + +In our previous tutorials we made a single configuration file for Dovecot, `/etc/dovecot/dovecot.conf`, rather than using the default giant herd of multiple configuration files. This is a complete configuration that builds on our previous tutorials. Again, use your own OpenSSL key and certificate, and your own `userdb` home file: + +``` +protocols = imap pop3 lmtp +log_path = /var/log/dovecot.log +info_log_path = /var/log/dovecot-info.log +disable_plaintext_auth = no +mail_location = maildir:~/.Mail +pop3_uidl_format = %g +auth_mechanisms = plain + +passdb { + driver = passwd-file + args = /etc/dovecot/passwd +} + +userdb { + driver = static + args = uid=vmail gid=vmail home=/home/vmail/studio/%u +} + +service lmtp { + unix_listener /var/spool/postfix/private/dovecot-lmtp { + group = postfix + mode = 0600 + user = postfix + } +} + +protocol lmtp { + postmaster_address = postmaster@studio +} + +service lmtp { + user = vmail +} + +service auth { + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user=postfix + group=postfix + } + } + +ssl=required +ssl_cert = +250 2.1.0 Ok +rcpt to: +250 2.1.5 Ok +data +354 End data with .subject: TLS/SSL test +Hello, we are testing TLS/SSL. Looking good so far. +. +250 2.0.0 Ok: queued as B9B529FE59 +quit +221 2.0.0 Bye +``` + +You should see a new message in your mail client, and it will ask you to verify your SSL certificate when you open it. You may also use `openssl s_client`to test your Dovecot POP3 and IMAP services. This example tests encrypted POP3, and message #5 is the one we created in telnet (above): + +``` +$ openssl s_client -connect studio:995 +CONNECTED(00000003) +[masses of output snipped] + Verify return code: 0 (ok) +--- ++OK Dovecot ready +user alrac@studio ++OK +pass password ++OK Logged in. +list ++OK 5 messages: +1 499 +2 504 +3 514 +4 513 +5 565 +. +retr 5 ++OK 565 octets +Return-Path: +Delivered-To: alrac@studio +Received: from localhost + by studio.alrac.net (Dovecot) with LMTP id y8G5C8aablgKIQAAYelYQA + for ; Thu, 05 Jan 2017 11:13:10 -0800 +Received: from studio (localhost [127.0.0.1]) + by localhost (Postfix) with ESMTPS id B9B529FE59 + for ; Thu, 5 Jan 2017 11:12:13 -0800 (PST) +subject: TLS/SSL test +Message-Id: <20170105191240.B9B529FE59@localhost> +Date: Thu, 5 Jan 2017 11:12:13 -0800 (PST) +From: carla@domain.com + +Hello, we are testing TLS/SSL. Looking good so far. +. +quit ++OK Logging out. +closed +``` + +### Now What? + +Now you have a nice functioning mail server with proper TLS/SSL protection. I encourage you to study Postfix and Dovecot in-depth; the examples in these tutorials are as simple as I could make them, and don't include fine-tuning for security, anti-virus scanners, spam filters, or any other advanced functionality. I think it's easier to learn the advanced features when you have a basic working system to use. + +Come back next week for an openSUSE package management cheat sheet. + +### Resources + +* [OpenSSL For Apache and Dovecot][3] +* [How to Build an Email Server on Ubuntu Linux][4] +* [Building an Email Server on Ubuntu Linux, Part 2][5] +* [Building an Email Server on Ubuntu Linux, Part 3][6] +* [Apache on Ubuntu Linux For Beginners][7] +* [Apache on Ubuntu Linux For Beginners: Part 2][8] +* [Apache on CentOS Linux For Beginners][9] +* [Quieting Scary Web Browser SSL Alerts][10] + +-------------------------------------------------------------------------------- + +via: https://www.linux.com/learn/intro-to-linux/openssl-apache-and-dovecot-part-2 + +作者:[CARLA SCHRODER][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linux.com/users/cschroder +[1]:https://www.linux.com/licenses/category/creative-commons-zero +[2]:https://www.linux.com/files/images/key-openssljpg-0 +[3]:https://www.linux.com/learn/sysadmin/openssl-apache-and-dovecot +[4]:https://www.linux.com/learn/how-build-email-server-ubuntu-linux +[5]:https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-2 +[6]:https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-3 +[7]:https://www.linux.com/learn/apache-ubuntu-linux-beginners +[8]:https://www.linux.com/learn/apache-ubuntu-linux-beginners-part-2 +[9]:https://www.linux.com/learn/apache-centos-linux-beginners +[10]:https://www.linux.com/learn/quieting-scary-web-browser-ssl-alerts +[11]:https://www.linux.com/learn/sysadmin/openssl-apache-and-dovecot +[12]:https://www.linux.com/learn/sysadmin/openssl-apache-and-dovecot