Sunday, 5 March 2017

Let's Encrypt SSL Recipes -- Mail Server (sendmail and dovecot)

In part 1 of this series I showed how to obtain a free SSL certificate from Let's Encrypt and use the certificate to secure a website using Apache.

The same certificate can be used to secure a mail server such as dovecot, and a mail transfer agent such as sendmail.  I will show dovecot first because it's the easiest.

The dovecot configuration files are usually in /etc/dovecot with the master configuration file being /etc/dovecot/dovecot.conf.  In fact on most distributions you shouldn't edit this file, instead you should edit the files in /etc/dovecot/conf.d/. The one file you need to edit is /etc/dovecot/conf.d/10-ssl.conf on Red Hat and CentOS distributions.

The lines that you need to set in this file are as follows:

ssl_cert = </etc/letsencrypt/live/
ssl_key =  </etc/letsencrypt/live/
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!RC4::!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

As before, replace with the actual site name of your web site, the site name that has been used to obtain the SSL certificate.  Note that you need to give the path to the fullchain.pem file obtained by certbot and not just the cert.pem file.

The site name should be the same as server name that you configure in your mail client to access this server.  For example if you're configuring Thunderbird you should set this as the Server Name under Server Settings in the Account Settings. Don't use another alias or CNAME, use the exact server name as registered on the certificate.

The sendmail Mail Transfer Agent (MTA) usually used for sending mail is a bit fussier about the certificates.  It can't use the certificates from the Let's Encrypt path because sendmail insists on certain permissions on the key file -- it must not be world readable.  So therefore in my cron script to renew the certificates I add some extra lines to copy the certificate and key elsewhere, and put some permissions on it that sendmail will be happy with:

cat /etc/letsencrypt/live/ \
    /etc/letsencrypt/live/ > \
chmod 0600 /etc/pki/tls/certs/sendmail.pem
cat /etc/letsencrypt/live/ > /etc/pki/tls/certs/chain.pem

The above lines will put a copy of the combined key and certificate in /etc/pki/tls/certs as well as the CA chain file.

The next step is to configure sendmail.  I do this by editing the sendmail macro file ( from the sendmail-cf package on CentOS:

cd /usr/share/sendmail-cf/cf

Add these lines to the macro file:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

If you're configuring sendmail for TLS then it's probable that you also are going to use SMTP Authentication.  To do that you will need these additional lines in your macro file:

define(`confAUTH_OPTIONS', `A')dnl

Note that "LOGIN" and "PLAIN" authentications are mostly OK here -- because although it's plain text authentication it occurs in a TLS encrypted channel.  You will also need to start the SASL authentication daemon:

service saslauthd start
chkconfig saslauthd on

You will probably also want to set up Fail2Ban on your server as well because once you have sendmail authentication turned on you will receive many brute force attempts to hack your passwords.

Rebuild your macro file using make and copy this to your normal location.

I will update this for postfix at some point.

No comments:

Post a Comment