1 (edited by brad.b82 2013-03-19 00:08:33)

Topic: configuring postfix & dovecot to use only SSL/TLS

==== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in backend MySQL
- Linux/BSD distribution: Debian 7 / wheezy
====

I'm trying to make it so that my mail users are required to use SSL/TLS to both send and receive mail from their email clients and from the roundcube web interface.  I do not want them to have the option to even use unsecured connections.  I've configured apache for ssl before, so that shouldn't be an issue.  Getting postfix and dovecot to cooperate is a different story though!

I used Comodo as the certificate authority.  They sent me three files in an email with a description which looks like so:

    Root CA Certificate - AddTrustExternalCARoot.crt
    Intermediate CA Certificate - PositiveSSLCA2.crt
    Your PositiveSSL Certificate - mx_domain_com.crt

All my certificates are currently in /etc/ssl and it looks like so:
    AddTrustExternalCARoot.crt 
    certs/ 
    mx_domain_com.crt 
    mx.domain.com.csr 
    mx.domain.com.key 
    openssl.cnf 
    PositiveSSLCA2.crt 
    private/

Can someone please either point me to current documentation on how to do this or show me what to edit in which files?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: configuring postfix & dovecot to use only SSL/TLS

It's better to show us how you configure Apache, then we can configure Postfix/Dovecot by referring to it.

*) In Postfix, SSL certificates are configured with 3 parameters (in main.cf):

smtpd_tls_key_file=
smtpd_tls_cert_file=
smtpd_tls_CAfile=

*) In Dovecot, below 3 parameters (in dovecot.conf):

# Note: '<' before file path is required, not a typo error.
ssl_cert = </path/to/cert_file
ssl_key = </path/to/key_file

3 (edited by brad.b82 2013-03-19 11:30:49)

Re: configuring postfix & dovecot to use only SSL/TLS

I think I may have finally gotten it.  Currently in the process of testing.  I'll post back if this works or not, because it'll be good to have this configuration available for the next struggling person.  This is what I have come up with so far (some things may be commented out so I can easily recover from "disasters":

apache2 wrote:

SSLCertificateFile /etc/ssl/mx_mydomain_com.crt
SSLCertificateKeyFile /etc/ssl/mx.mydomain.com.key
#SSLCertificateChainFile /etc/ssl/PositiveSSLCA2.crt

postfix wrote:

# smtpd_tls_cert_file = /etc/ssl/PositiveSSLCA2.crt
smtpd_tls_cert_file = /etc/ssl/mx_mydomain_com.crt
smtpd_tls_key_file = /etc/ssl/mx.mydomain.com.key
smtpd_tls_CAfile = /etc/ssl/AddTrustExternalCARoot.crt
smtpd_use_tls=yes

dovecot wrote:

ssl_cert = </etc/ssl/mx_mydomain_com.crt
ssl_key = </etc/ssl/mx.mydomain.com.key
# ssl_ca = </etc/ssl/AddTrustExternalCARoot.crt
ssl_ca = </etc/ssl/PositiveSSLCA2.crt

4 (edited by brad.b82 2013-03-19 12:12:42)

Re: configuring postfix & dovecot to use only SSL/TLS

ok, I've made some changes.  My config files now look like so:

apache2 wrote:

SSLEngine on
SSLCertificateFile /etc/ssl/mx_mydomain_com.crt
SSLCertificateKeyFile /etc/ssl/mx.mydomain.com.key
SSLCertificateChainFile /etc/ssl/PositiveSSLCA2.crt
SSLCACertificateFile /etc/ssl/AddTrustExternalCARoot.crt

postfix wrote:

smtpd_tls_cert_file = /etc/ssl/mx_mydomain_com.crt
smtpd_tls_key_file = /etc/ssl/mx.mydomain.com.key
smtpd_tls_CAfile = /etc/ssl/PositiveSSLCA2.crt
smtpd_use_tls=yes

dovecot wrote:

ssl = required
ssl_cert = </etc/ssl/mx_mydomain_com.crt
ssl_key = </etc/ssl/mx.mydomain.com.key
ssl_ca = </etc/ssl/PositiveSSLCA2.crt

A nifty tool I found is a way to test your setting from a remote location.  Check out https://www.wormly.com/tools
According to that site, my apache2 and dovecot is working securely as expected.

5

Re: configuring postfix & dovecot to use only SSL/TLS

Thanks for your sharing. smile