[5] Dovecot+SSL – Konfiguracja

5 lutego 2023 Wyłączono przez Adam [zicherka] Nogły

Wyedytuj [/usr/local/etc/dovecot/conf.d/10-auth.conf].

root@vfbsd01:~ # cp /usr/local/etc/dovecot/conf.d/10-auth.conf /usr/local/etc/dovecot/conf.d/10-auth.conf.old
root@vfbsd01:~ # mcedit /usr/local/etc/dovecot/conf.d/10-auth.conf
# linia 10: zmień
disable_plaintext_auth = yes

Wyedytuj [/usr/local/etc/dovecot/conf.d/10-ssl.conf].

root@vfbsd01:~ # cp /usr/local/etc/dovecot/conf.d/10-ssl.conf /usr/local/etc/dovecot/conf.d/10-ssl.conf.old
root@vfbsd01:~ # mcedit /usr/local/etc/dovecot/conf.d/10-ssl.conf
# linia 6: zmień
ssl = yes
# linie 12-13: odkomentuj i zmień
ssl_cert = </usr/local/etc/postfix/mailbsd.zicher.lab_server-cert.crt
ssl_key = </usr/local/etc/postfix/mailbsd.zicher.lab_server-key.key

Będziemy używać certyfikatów z podpisem własnym, ale sprawdź http://www.startssl.com, aby uzyskać bezpłatne certyfikaty. W przeciwieństwie do wirtualnych domen Apache, nie potrzebujesz wielu certyfikatów dla każdej domeny wirtualnej. Certyfikaty z podpisem własnym są uznawane za fałszywe, lub też są nieakceptowane, więc podczas próby wysłania/odbioru wiadomości e-mail pojawi się monit o zaakceptowanie fałszywego certyfikatu, ale celem jest pokazanie, jak z nich korzystać, a nie 100% zgodność.

root@vfbsd01:~ # cd /usr/local/etc/postfix
root@vfbsd01:/usr/local/etc/postfix # openssl genrsa -out mailbsd.zicher.lab_server-key.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.................+++++
................+++++
e is 65537 (0x010001)
root@vfbsd01:/usr/local/etc/postfix # openssl req -new -key mailbsd.zicher.lab_server-key.key -out mailbsd.zicher.lab_server-cert.csr
# musisz odpowiedzieć na kilka pytań dotyczących certyfikatu
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL # wpisz kraj
State or Province Name (full name) [Some-State]:Katowice # Wpisz miasto
Locality Name (eg, city) []:Rybnik # wpisz powiat
Organization Name (eg, company) [Internet Widgits Pty Ltd]:zicher.LAB # wpisz firmę
Organizational Unit Name (eg, section) []: # [Enter]
Common Name (e.g. server FQDN or YOUR name) []:mailbsd.zicher.lab # wpisz FQDN
Email Address []:adam@zicher.lab # wpisz adres email

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # [Enter]
An optional company name []: # [Enter]

Podpiszemy teraz certyfikat.

root@vfbsd01:/usr/local/etc/postfix # openssl x509 -req -days 3650 -in mailbsd.zicher.lab_server-cert.csr -signkey mailbsd.zicher.lab_server-key.key -out mailbsd.zicher.lab_server-cert.crt
Signature ok
subject=C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab
Getting Private key

Zrestartujmy teraz Postfix’a i Dovecot’a.

root@vfbsd01:~ # service postfix restart
postfix/postfix-script: stopping the Postfix mail system
postfix/postfix-script: starting the Postfix mail system
root@vfbsd01:~ # service dovecot restart
Stopping dovecot.
Waiting for PIDS: 3625.
Starting dovecot.

Przyszła pora na testowanie SMTP SSL/TLS na porcie 587.

root@vfbsd01:~ # openssl s_client -starttls smtp -connect localhost:587
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab
verify error:num=18:self signed certificate
verify return:1
depth=0 C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab
verify return:1
---
Certificate chain
0 s:C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab
i:C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICijCCAfMCFBLHaU8BrDJrQVHacO6balP3iVQHMA0GCSqGSIb3DQEBCwUAMIGD

HVWhu2CgkLyhxLG5tAx6dmPoJiAGWWLkI5BIo0bjH7b88cnlp9oJeOdA+Wm/ADnO
INx8mbDt81LHWuMHOfBkARHhrcW+kmd+UW8V955B
-----END CERTIFICATE-----
subject=C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab

issuer=C = PL, ST = Katowice, L = Rybnik, O = zicher.LAB, CN = mailbsd.zicher.lab, emailAddress = adam@zicher.lab

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1319 bytes and written 406 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Resumption PSK: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 58 02 1f 92 71 0f 1f 85-a0 eb d4 eb 7f a0 c3 f6 X...q...........

00c0 - 08 23 01 a4 dc 10 a8 7e-88 f9 71 67 e0 4e 6a f0 .#.....~..qg.Nj.

Start Time: 1668972682
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
ehlo cokolwiek.com
250-mailbsd.zicher.lab
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
mail from:adam@zicher.lab
250 2.1.0 Ok
quit
221 2.0.0 Bye
closed

Następnie wpisz ehlo cokolwiek.com , naciśnij [Enter], a następnie wyślij wiadomość z adresu: adam@zicher.lab. Jeśli te kroki zadziałają, powinno być OK.
Aby przetestować SASL z postfixem i dovecot, wpisz:

root@vfbsd01:~ # doveadm auth test -a /var/spool/postfix/private/auth adam@zicher.lab TajneHaslo
passdb: adam@zicher.lab auth succeeded
extra fields:
user=adam@zicher.lab

Koniec z portami 110 i 143. Zamiast tego użyj 995 dla POP3, 587 dla SMPT (SASL) i 993 dla IMAP. Nazwa użytkownika to Twój adres e-mail, a hasło to hasło, które wygenerowałeś poleceniem [doveadm pw].