Posts Tagged postfix
Posted by mike Filed Under Cyrus-Imap with Comments Off
The default admin user is cyrus; however, an additional admin may be needed, or for some reason the default does not work a new admin can be created. Create an admin user name on the system with a password first. cyrus is the default and will be created when cyrus IMAP is installed. However, a good password must be created, see the example.
# passwd cyrus
Changing password for user cyrus.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
It may be a good idea to create a second admin account as is seen here:
useradd cyrusad
passwd cyrusad
Now create an admin with saslauthd:
Verify sasauthd is started with this command:
service saslauthd status
If the status is off it will need to be started with the command below.
Start saslauthd
Centos
# service saslauthd start
Starting saslauthd: [ OK ]
Suse or Ubuntu
/etc/init.d/saslauthd start
saslpasswd2 -c cyrus
Error Message – generic falure
If you get this message do not panic, just do the password again.
# saslpasswd2 -c cyrus
Password:
Again (for verification):
saslpasswd: generic failure
Second time it works!
# saslpasswd2 -c cyrus
Password:
Again (for verification):
Edit the file /etc/impad.conf and view the line that lists admins, add the second admin that was just created and add the third admin if needed.
admins: cyrus
Note: You should not use regular users who have mailboxes as admins. This adds to the security risk.
Create cyrus Folders
su to the user cyrus
su cyrus
Create the necessary file and directories for Cyrus to run by executing this script.
/usr/lib/cyrus-imapd/mkimap
Here is what it looks like from the console.
bash-3.00$ /usr/lib/cyrus-imapd/mkimap
reading configure file…
i will configure directory /var/lib/imap.
i saw partition /var/spool/imap.
done
configuring /var/lib/imap…
creating /var/spool/imap…
done
Return to the root user by using the exit command:
exit
You will probably need to reboot to get everything running.
Posted by mike Filed Under Cyrus-Imap with Comments Off
Create Users
Create the users on the system. Create users with the false option so they cannot log into the server. This is an added security feature.
A. Create the User
useradd sue -s /bin/false
passwd sue
A common mistake is to forget to provide passwords for these users.
B. Use saslpasswd2 to create a cyrus account for the user.
echo linux23 | saslpasswd2 -p -c sue -p -u realm
Note that linux23 is the password that you are providing for this user sue.
The realm is the domain that you are using for the hostname. If you have no domain just use realm.
Here are several options for the saslpasswd2 program:
-p pipe mode
-c create
-d delete
-u domain
-f file
C. List the users to verify they were created.
Use this command to list the users created with saslpasswd2.
List Users Example
Here is an example of the sasldblistusers2 command. Notice that there are two methods of authentication; PLAIN, and CRAM-MD5.
# /usr/sbin/sasldblistusers2
user: cyrus realm: example.org mech: CRAM-MD5
user: tom realm: realm mech: CRAM-MD5
user: cyrus realm: example.org mech: PLAIN
user: tom realm: realm mech: PLAIN
user: tom realm: realm mech: DIGEST-MD5
user: cyrus realm: example.org mech: DIGEST-MD5
You may also want to send an email to the account.
echo test |/usr/sbin/sendmail -f root username
Posted by mike Filed Under Squirrelmail with Comments Off
In order to have TLS work with SquirrelMail you need to start the configuration script at /usr/share/squirrelmail/config/conf.pl When the script opens choose “Server Settings” and then edit the IMAP port settings and change them from port 143 to port 993.
SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Server Settings
General
——-
1. Domain : localhost
2. Invert Time : false
3. Sendmail or SMTP : SMTP
IMAP Settings
————–
4. IMAP Server : localhost
5. IMAP Port : 993
6. Authentication type : login
7. Secure IMAP (TLS) : false
8. Server software : uw
9. Delimiter : /
B. Update SMTP Settings : localhost:25
H. Hide IMAP Server Settings
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Restart Dovecot and httpd and you should be able to login to SquirrellMail using the https on the browser and the encrypted communication on port 993 for Dovecot. To the user the only decision they need to make is to accept the self-signed certificate and point their browser to https.
Posted by mike Filed Under Dovecot with 1 Comment
Testing the SSL Connections
# openssl s_client -connect localhost:993
CONNECTED(00000003)
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify return:1
—
Certificate chain
0 s:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
i:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
—
Server certificate
—–BEGIN CERTIFICATE—–
MIICQzCCAaygAwIBAgIJAPTV7oRo6JRMMA0GCSqGSIb3DQEBBQUAMFgxFDASBgNV
BAsTC0lNQVAgc2VydmVyMRkwFwYDVQQDExBpbWFwLmV4YW1wbGUuY29tMSUwIwYJ
KoZIhvcNAQkBFhZwb3N0bWFzdGVyQGV4YW1wbGUuY29tMB4XDTA3MDcwMjAxMzYy
N1oXDTA4MDcwMTAxMzYyN1owWDEUMBIGA1UECxMLSU1BUCBzZXJ2ZXIxGTAXBgNV
BAMTEGltYXAuZXhhbXBsZS5jb20xJTAjBgkqhkiG9w0BCQEWFnBvc3RtYXN0ZXJA
ZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJLttD7lNlyk
4IqT+39jJ8AUFDzFiGSjUzJN+dHwMtSOXIfdI/2wJ9zRA/ams6R5vYoM8xaRvQA1
sS+nqjKwDzv0gXJbadCNlCoanR8wdoYHD0CCTJUuthE4m5dJxWHDLPaISKBjercd
sYV2+kH03Jvi/ss0yytX1V+kPNmotm3ZAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
AwIGQDANBgkqhkiG9w0BAQUFAAOBgQAzT9mEBKkpJskrT1siKqbEdTpksD9dOZPs
x67CoEY5zDn4u2dcaDnzP50c5THzkLU+ubB+a+F70pqhiufFG8gVB6xswEfe7MBi
TYX03DHK0dx4aL22r1P/5Ayu9VdI19Cayj/ZRZ5HzAJUcU+MHep/tDrlNTXkNwyB
FHaZ3rTsMQ==
—–END CERTIFICATE—–
subject=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
issuer=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
—
No client certificate CA names sent
—
SSL handshake has read 1147 bytes and written 340 bytes
—
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 6828F13357DE7E3F7D488E28ED371724E57E8E645ECD6913ED00F0BAAD32C336
Session-ID-ctx:
Master-Key: 38DE76160DB9306EC347DB9047D9CA67E2CF507A1B0893E34991C0622EA633F873B5FCB6AE6A054A9702266FA7F13FD0
Key-Arg : None
Krb5 Principal: None
Start Time: 1190798551
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
—
OK Dovecot ready.
Posted by mike Filed Under Dovecot with Comments Off
Creating a Keys
First edit the file /etc/pki/dovecot-openssl.cnf. In this file create all of the settings for your site. Now move into the /usr/share/doc/dovecot-1.0/examples folder and you will see an executable called mkcert.sh. Run that executable to create the necessary keys.
./mkcert.sh
Copy the keys to the correct location, deleting the default keys.
cp dovecot.pem /etc/pki/dovecot/certs
cp dovecot.pem /etc/pki/dovecot/private
chmod 600 /etc/pki/dovecot/certs
chmod 600 /etc/pki/dovecot/private
Restart Dovecot and Postfix.
Creating a Private Key – Second Method
Move into the /etc/pki/tls/certs directory and run the command below. You will be asked to provide information about the location and name of your company as well as contacts. This private key can be used to create a self-signed certificate. The certificate functions much like a public key.
# make dovecot.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > dovecot.pem ; \
echo “” >> dovecot.pem ; \
cat $PEM2 >> dovecot.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
……..++++++
…………………………++++++
writing new private key to ‘/tmp/openssl.pM9442′
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Montana
Locality Name (eg, city) [Newbury]:Trout Creek
Organization Name (eg, company) [My Company Ltd]:My Company
Organizational Unit Name (eg, section) []:Sales
Common Name (eg, your name or your server’s hostname) []:mail
Email Address []:mike@somewhere.com
Posted by mike Filed Under Dovecot with 1 Comment
Check for TLS Support in Postfix
By running this command you can verify that TLS is supported by your version of Postfix. Each of these parameters should exist.
# postconf -d | grep tls
lmtp_enforce_tls = no
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_starttls_timeout = 300s
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_cert_file =
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_scert_verifydepth = 5
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
smtp_enforce_tls = no
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 5
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtpd_client_new_tls_session_rate_limit = 0
smtpd_enforce_tls = no
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_starttls_timeout = 300s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
tls_daemon_random_bytes = 32
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_high_cipherlist = !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH
tls_low_cipherlist = !EXPORT:ALL:+RC4:@STRENGTH
tls_medium_cipherlist = !EXPORT:!LOW:ALL:+RC4:@STRENGTH
tls_null_cipherlist = !aNULL:eNULL+kRSA
tls_random_bytes = 32
tls_random_exchange_name = ${config_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
Once you have verified this information edit the main.cf file and add these lines:
smtpd_tls_cert_file=/etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file=/etc/pki/dovecot/private/dovecot.pem
smtpd_use_tls=yes
Note that the keys have been developed with the default location for Dovecot and the name of dovecot.pem. The important point is that the location be exactly the same for Postfix and Dovecot. That is all you need to do for Postfix. Reload Postfix.
By using the netstat command you will be able to verify the listening ports that dovecot is using.
Posted by mike Filed Under Dovecot with 1 Comment
TLS or Transport Layer Security is a protocol that is encrypted and is a close relative of SSL. Actually TLS has developed from SSL and has backward compatibility. SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing. The OpenSSL project, http://openssl.org is an organization working to develop a cryptography library based on SSL v2/v3 and TLS v1.
What the Process of TLS or SSL Provides
1. TLS and SSL Provides – Authentication – the SSL server authentication allows a user to verify the server identity. The use of public-key cryptology allows a client to verify that the server has a valid certificate and public ID and that it has been issued a certificate of authority (CA). The client can hold a list of trusted CAs.
2. TLS and SSL Provides Verification of the User - the user is verified in the process in the same way as the server and using the same methods as the server verification.
3. TLS and SSL Provides Encryption – the entire communication between the client and the server is encrypted.
Installation of TLS or SSL Communication
At times it is important to encrypt the communication between the server and the client in order to protect the data that is being transferred. SSL, Secure Socket Layer ins enabled on Apache using the mod_ssl module. Once SSL has been enabled on Apache secure communication will occur over port 443 using the https:// in the browser. Note this is encrypted communication based on the 443 port where TLS is encrypted communication based on port 993. The focus at this point is creating encryption for Dovecot so the TLS application will be described not the implementation of SSL for port 443.
Posted by mike Filed Under Dovecot with Comments Off
One thing that you can do is run this command to verify it is listening on the correct port numbers:
netstat -aunt
This should show that Dovecot is listening on ports 143 and 110 for IMAP and POP3.
Check if Dovecot is Listening
Another test is to connect to Dovecot using telnet on port 143. Here is an example with the output you want.
telnet localhost 143
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
* OK dovecot ready.
Check if Dovecot Accepting Passwords
telnet localhost 143
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
* OK dovecot ready.
1 login mike
1 login mike password
1 OK Logged in.
Check if Dovecot is Accepting Remote Logins
telnet 21.14.26.132 143
Trying 21.14.26.132…
Connected to 21-14-26-132.static.example.net (21.14.26.132).
Escape character is ‘^]’.
* OK dovecot ready.
1 login mike password
1 OK Logged in.
Check if Dovecot is Finding the Mailbox
1 select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1163363765] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
1 OK [READ-WRITE] Select completed.
« Older Entries
Newer Entries »
