Rocky_Linux_8
Sponsored Link

Mail Server : SSL/TLS Setting2021/07/30

 
Configure SSL/TLS to encrypt connections.
[1]
[2] Configure Postfix and Dovecot.
[root@mail ~]#
vi /etc/postfix/main.cf
# line 709, 715 : comment out

#
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
#
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
# add to the end (replace certificate to your own one)

smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.srv.world/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.srv.world/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
[root@mail ~]#
vi /etc/postfix/master.cf
# line 17,18,20 : uncomment

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes

# line 29-32 : uncomment

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  
[root@mail ~]#
vi /etc/dovecot/conf.d/10-ssl.conf
# line 8 : change (if set SSL required, specify [required])

ssl =
yes
# line 14,15 : specify certificates

ssl_cert = <
/etc/letsencrypt/live/mail.srv.world/fullchain.pem

ssl_key = <
/etc/letsencrypt/live/mail.srv.world/privkey.pem
[root@mail ~]#
systemctl restart postfix dovecot
[3] If SELinux is enabled, restote context for certificates.
[root@mail ~]#
restorecon -v /etc/letsencrypt/live/mail.srv.world/fullchain.pem

[root@mail ~]#
restorecon -v /etc/letsencrypt/live/mail.srv.world/privkey.pem

[4] If Firewalld is running, allow SMTP-Submission/SMTPS/POP3S/IMAPS services.
SMTP-Submission uses [587/TCP] (used STARTTLS), SMTPS uses [465/TCP], POP3S uses [995/TCP], IMAPS uses [993/TCP].
[root@mail ~]#
firewall-cmd --add-service={smtp-submission,smtps,pop3s,imaps}

success
[root@mail ~]#
firewall-cmd --runtime-to-permanent

success
[5] For Client's settings, ( Mozilla Thunderbird )
Open account's property and move to [Server Settings] on the left pane, then Select [STARTTLS] or [SSL/TLS] on [Connection security] field on the right pane.
(this example shows to select [STARTTLS])
[6] Move to [Outgoing Server] on the left pane, then Click the [Edit] button on the right pane and Select [STARTTLS] or [SSL/TLS] on [Connection security] field.
Furthermore, change port to the used port. ([STARTTLS] uses [587], [SSL/TLS] uses 465, this example shows to select [STARTTLS])
[7] Verify possible to send or receive Emails normally.
Matched Content