January 12, 2017

OpenSSL For Apache and Dovecot: Part 2


In this tutorial, Carla Schroder explains how to protect your Postfix/Dovecot mail server with OpenSSL.

Last week, as part of our meandering OpenSSL series, we learned how to configure Apache to use OpenSSL and to force all sessions to use HTTPS. Today, we'll protect our Postfix/Dovecot mail server with OpenSSL. The examples build on the previous tutorials; see the Resources section at the end for links to all previous tutorials in this series.

You will have to configure both Postfix and Dovecot to use OpenSSL, and we'll use the key and certificate that we created in OpenSSL For Apache and Dovecot .

Postfix Configuration

You must edit /etc/postfix/main.cf and /etc/postfix/master.cf. The main.cf example is the complete configuration, building on our previous tutorials. Substitute your own OpenSSL key and certificate names, and local network:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu/GNU)
biff = no
append_dot_mydomain = no

myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $myhostname
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

virtual_mailbox_domains = /etc/postfix/vhosts.txt
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport = lmtp:unix:private/dovecot-lmtp


smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes

In master.cf un-comment the following lines in the submission inet section, and edit smtpd_recipient_restrictions as shown:

#submission inet n  -  y  -  - smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_wrappermode=no

Reload Postfix and you're finished:

$ sudo service postfix reload

Dovecot Configuration

In our previous tutorials we made a single configuration file for Dovecot, /etc/dovecot/dovecot.conf, rather than using the default giant herd of multiple configuration files. This is a complete configuration that builds on our previous tutorials. Again, use your own OpenSSL key and certificate, and your own userdb home file:

protocols = imap pop3 lmtp
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no
mail_location = maildir:~/.Mail
pop3_uidl_format = %g
auth_mechanisms = plain

passdb {
  driver = passwd-file
  args = /etc/dovecot/passwd

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/home/vmail/studio/%u

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix

protocol lmtp {
  postmaster_address = postmaster@studio

service lmtp {
  user = vmail

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660

ssl_cert = </etc/ssl/certs/test-com.pem
ssl_key = </etc/ssl/private/test-com.key

Restart Dovecot:

$ sudo service postfix reload

Testing With Telnet

Now we can test our setup by sending a message with telnet, just like we did before. But wait, you say, telnet does not support TLS/SSL, so how can this be so? By opening an encrypted session with openssl s_client first is how. The openssl s_client output will display your certificate, fingerprint, and a ton of other information so you'll know that your server is using the correct certificate. Commands that you type after the session is established are in bold:

$ openssl s_client -starttls smtp -connect studio:25
[masses of output snipped]
    Verify return code: 0 (ok)
EHLO studio
250-SIZE 10240000
mail from: <carla@domain.com>
250 2.1.0 Ok
rcpt to: <alrac@studio>
250 2.1.5 Ok
354 End data with .subject: TLS/SSL test
Hello, we are testing TLS/SSL. Looking good so far.
250 2.0.0 Ok: queued as B9B529FE59
221 2.0.0 Bye

You should see a new message in your mail client, and it will ask you to verify your SSL certificate when you open it. You may also use openssl s_client to test your Dovecot POP3 and IMAP services. This example tests encrypted POP3, and message #5 is the one we created in telnet (above):

$ openssl s_client -connect studio:995
[masses of output snipped]
    Verify return code: 0 (ok)
+OK Dovecot ready
user alrac@studio 
pass password
+OK Logged in.
+OK 5 messages:
1 499
2 504
3 514
4 513
5 565
retr 5
+OK 565 octets
Return-Path: <carla@domain.com>
Delivered-To: alrac@studio
Received: from localhost
        by studio.alrac.net (Dovecot) with LMTP id y8G5C8aablgKIQAAYelYQA
        for <alrac@studio>; Thu, 05 Jan 2017 11:13:10 -0800
Received: from studio (localhost [])
        by localhost (Postfix) with ESMTPS id B9B529FE59
        for <alrac@studio>; Thu,  5 Jan 2017 11:12:13 -0800 (PST)
subject: TLS/SSL test
Message-Id: <20170105191240.B9B529FE59@localhost>
Date: Thu,  5 Jan 2017 11:12:13 -0800 (PST)
From: carla@domain.com

Hello, we are testing TLS/SSL. Looking good so far.
+OK Logging out.

Now What?

Now you have a nice functioning mail server with proper TLS/SSL protection. I encourage you to study Postfix and Dovecot in-depth; the examples in these tutorials are as simple as I could make them, and don't include fine-tuning for security, anti-virus scanners, spam filters, or any other advanced functionality. I think it's easier to learn the advanced features when you have a basic working system to use.

Come back next week for an openSUSE package management cheat sheet.


Learn more about Linux through the free "Introduction to Linux" course from The Linux Foundation and edX.

Click Here!