SLES 15
Sponsored Link

SSL/TLS Setting
2019/01/24
 
Configure SSL/TLS to encrypt connections.
[1]
[2] Configure Postfix and Dovecot.
mail:~ #
vi /etc/postfix/main.cf
# line 770: change

smtpd_use_tls =
yes
# line 774: specify certificates

smtpd_tls_cert_file =
/etc/letsencrypt/live/mail.srv.world/fullchain.pem

smtpd_tls_key_file =
/etc/letsencrypt/live/mail.srv.world/privkey.pem
# line 778: add

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
mail:~ #
vi /etc/postfix/master.cf
# line 23,24,26: uncomment

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes

# line 34-36: uncomment

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes

# line 51: uncomment

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

# generate DH param for Dovecot

mail:~ #
openssl dhparam 4096 > /etc/dovecot/dh.pem

mail:~ #
vi /etc/dovecot/conf.d/10-ssl.conf
# line 6: change

ssl =
yes
# line 12,13: specify certificates

ssl_cert = <
/etc/letsencrypt/live/mail.srv.world/fullchain.pem

ssl_key = <
/etc/letsencrypt/live/mail.srv.world/privkey.pem
# line 50: uncomment

ssl_dh = </etc/dovecot/dh.pem
# line 54: uncomment

ssl_min_protocol = TLSv1
mail:~ #
vi /etc/services
# line 874: change

#urd                465/tcp      # URL Rendesvous Directory for SSM  [Toerless_Eckert]
smtps              465/tcp       # Secure SMTP
smtps              465/udp       # Secure SMTP

mail:~ #
systemctl restart postfix dovecot
[3] If Firewalld is running, allow SMTP-Submission/SMTPS/POP3S/IMAPS services.
SMTP-Submission uses 587/TCP(used STARTTLS), SMTPS uses 465/TCP, POP3S uses 995/TCP, IMAPS uses 993/TCP.
mail:~ #
firewall-cmd --add-service={smtp-submission,smtps,pop3s,imaps} --permanent

success
mail:~ #
firewall-cmd --reload

success
[4] For Client's settings, ( Mozilla Thunderbird )
Open account's property and move to [Server Settings] on the left pane, then Select [STARTTLS] or [SSL/TLS] on [Connection security] field on the right pane. (this example shows to select [STARTTLS])
[5] Move to [Outgoing Server] on the left pane, then Select [STARTTLS] or [SSL/TLS] on [Connection security] field.
Furthermore, change port to the used port. ([STARTTLS] uses [587], [SSL/TLS] uses 465, this example shows to select [STARTTLS])
[6] Make sure possible to send or receive Emails normally.
Matched Content
 
Tweet