SSL/TLS Setting2019/01/24 |
Configure SSL/TLS to encrypt connections.
|
|
[1] | |
[2] | Configure Postfix and Dovecot. |
mail:~ #
vi /etc/postfix/main.cf # line 770: change smtpd_use_tls = yes
# line 774: specify certificates smtpd_tls_cert_file = /etc/letsencrypt/live/mail.srv.world/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.srv.world/privkey.pem
# line 778: add
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
mail:~ #
vi /etc/postfix/master.cf # line 23,24,26: uncomment submission inet n - n - - smtpd -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # line 34-36: uncomment smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes # line 51: uncomment tlsmgr unix - - n 1000? 1 tlsmgr # generate DH param for Dovecot mail:~ # openssl dhparam 4096 > /etc/dovecot/dh.pem
mail:~ #
vi /etc/dovecot/conf.d/10-ssl.conf # line 6: change ssl = yes
# line 12,13: specify certificates ssl_cert = < /etc/letsencrypt/live/mail.srv.world/fullchain.pem ssl_key = < /etc/letsencrypt/live/mail.srv.world/privkey.pem
# line 50: uncomment ssl_dh = </etc/dovecot/dh.pem # line 54: uncomment ssl_min_protocol = TLSv1
mail:~ #
vi /etc/services # line 874: change
#urd 465/tcp # URL Rendesvous Directory for SSM [Toerless_Eckert]
smtps 465/tcp # Secure SMTP
smtps 465/udp # Secure SMTP
mail:~ # systemctl restart postfix dovecot
|
[3] | If Firewalld is running, allow SMTP-Submission/SMTPS/POP3S/IMAPS services. SMTP-Submission uses 587/TCP(used STARTTLS), SMTPS uses 465/TCP, POP3S uses 995/TCP, IMAPS uses 993/TCP. |
mail:~ # firewall-cmd --add-service={smtp-submission,smtps,pop3s,imaps} --permanent success mail:~ # firewall-cmd --reload success |
[4] | For Client's settings, ( Mozilla Thunderbird ) Open account's property and move to [Server Settings] on the left pane, then Select [STARTTLS] or [SSL/TLS] on [Connection security] field on the right pane. (this example shows to select [STARTTLS]) |
[5] | Move to [Outgoing Server] on the left pane, then Select [STARTTLS] or [SSL/TLS] on [Connection security] field. Furthermore, change port to the used port. ([STARTTLS] uses [587], [SSL/TLS] uses 465, this example shows to select [STARTTLS]) |
[6] | Make sure possible to send or receive Emails normally. |
Sponsored Link |
|