[5] Dovecot+SSL – Konfiguracja
5 lutego 2023Wyedytuj [/usr/local/etc/dovecot/conf.d/10-auth.conf].
root@vfbsd01:~ # cp /usr/local/etc/dovecot/conf.d/10-auth.conf /usr/local/etc/dovecot/conf.d/10-auth.conf.old root@vfbsd01:~ # mcedit /usr/local/etc/dovecot/conf.d/10-auth.conf # linia 10: zmień disable_plaintext_auth = yes
Wyedytuj [/usr/local/etc/dovecot/conf.d/10-ssl.conf].
root@vfbsd01:~ # cp /usr/local/etc/dovecot/conf.d/10-ssl.conf /usr/local/etc/dovecot/conf.d/10-ssl.conf.old root@vfbsd01:~ # mcedit /usr/local/etc/dovecot/conf.d/10-ssl.conf # linia 6: zmień ssl = yes # linie 12-13: odkomentuj i zmień ssl_cert = </usr/local/etc/postfix/mailbsd.zicher.lab_server-cert.crt ssl_key = </usr/local/etc/postfix/mailbsd.zicher.lab_server-key.key
Będziemy używać certyfikatów z podpisem własnym, ale sprawdź http://www.startssl.com, aby uzyskać bezpłatne certyfikaty. W przeciwieństwie do wirtualnych domen Apache, nie potrzebujesz wielu certyfikatów dla każdej domeny wirtualnej. Certyfikaty z podpisem własnym są uznawane za fałszywe, lub też są nieakceptowane, więc podczas próby wysłania/odbioru wiadomości e-mail pojawi się monit o zaakceptowanie fałszywego certyfikatu, ale celem jest pokazanie, jak z nich korzystać, a nie 100% zgodność.
root@vfbsd01:~ # cd /usr/local/etc/postfix root@vfbsd01:/usr/local/etc/postfix # openssl genrsa -out mailbsd.zicher.lab_server-key.key 1024 Generating RSA private key, 1024 bit long modulus (2 primes) .................+++++ ................+++++ e is 65537 (0x010001) root@vfbsd01:/usr/local/etc/postfix # openssl req -new -key mailbsd.zicher.lab_server-key.key -out mailbsd.zicher.lab_server-cert.csr # musisz odpowiedzieć na kilka pytań dotyczących certyfikatu You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:PL # wpisz kraj State or Province Name (full name) [Some-State]:Katowice # Wpisz miasto Locality Name (eg, city) []:Rybnik # wpisz powiat Organization Name (eg, company) [Internet Widgits Pty Ltd]:zicher.LAB # wpisz firmę Organizational Unit Name (eg, section) []: # [Enter] Common Name (e.g. server FQDN or YOUR name) []:mailbsd.zicher.lab # wpisz FQDN Email Address []:adam@zicher.lab # wpisz adres email Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: # [Enter] An optional company name []: # [Enter]
Podpiszemy teraz certyfikat.
root@vfbsd01:/usr/local/etc/postfix # openssl x509 -req -days 3650 -in mailbsd.zicher.lab_server-cert.csr -signkey mailbsd.zicher.lab_server-key.key -out mailbsd.zicher.lab_server-cert.crt Signature ok subject=C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab Getting Private key
Zrestartujmy teraz Postfix’a i Dovecot’a.
root@vfbsd01:~ # service postfix restart postfix/postfix-script: stopping the Postfix mail system postfix/postfix-script: starting the Postfix mail system root@vfbsd01:~ # service dovecot restart Stopping dovecot. Waiting for PIDS: 3625. Starting dovecot.
Przyszła pora na testowanie SMTP SSL/TLS na porcie 587.
root@vfbsd01:~ # openssl s_client -starttls smtp -connect localhost:587 CONNECTED(00000003) Can't use SSL_get_servername depth=0 C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab verify error:num=18:self signed certificate verify return:1 depth=0 C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab verify return:1 --- Certificate chain 0 s:C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab i:C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab --- Server certificate -----BEGIN CERTIFICATE----- MIICijCCAfMCFBLHaU8BrDJrQVHacO6balP3iVQHMA0GCSqGSIb3DQEBCwUAMIGD … HVWhu2CgkLyhxLG5tAx6dmPoJiAGWWLkI5BIo0bjH7b88cnlp9oJeOdA+Wm/ADnO INx8mbDt81LHWuMHOfBkARHhrcW+kmd+UW8V955B -----END CERTIFICATE----- subject=C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab issuer=C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1319 bytes and written 406 bytes Verification error: self signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self signed certificate) --- 250 CHUNKING --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Session-ID-ctx: Resumption PSK: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 58 02 1f 92 71 0f 1f 85-a0 eb d4 eb 7f a0 c3 f6 X...q........... … 00c0 - 08 23 01 a4 dc 10 a8 7e-88 f9 71 67 e0 4e 6a f0 .#.....~..qg.Nj. Start Time: 1668972682 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK ehlo cokolwiek.com 250-mailbsd.zicher.lab 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN 250-AUTH=PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING mail from:adam@zicher.lab 250 2.1.0 Ok quit 221 2.0.0 Bye closed
Następnie wpisz ehlo cokolwiek.com , naciśnij [Enter], a następnie wyślij wiadomość z adresu: adam@zicher.lab. Jeśli te kroki zadziałają, powinno być OK.
Aby przetestować SASL z postfixem i dovecot, wpisz:
root@vfbsd01:~ # doveadm auth test -a /var/spool/postfix/private/auth adam@zicher.lab TajneHaslo passdb: adam@zicher.lab auth succeeded extra fields: user=adam@zicher.lab
Koniec z portami 110 i 143. Zamiast tego użyj 995 dla POP3, 587 dla SMPT (SASL) i 993 dla IMAP. Nazwa użytkownika to Twój adres e-mail, a hasło to hasło, które wygenerowałeś poleceniem [doveadm pw].