Posts Tagged SSL

Postfix and TLS

Posted by Filed Under Dovecot with 1 Comment

Check for TLS Support in Postfix
By running this command you can verify that TLS is supported by your version of Postfix.  Each of these parameters should exist.

# postconf -d | grep tls
lmtp_enforce_tls = no
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_starttls_timeout = 300s
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_cert_file =
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_scert_verifydepth = 5
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
smtp_enforce_tls = no
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 5
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtpd_client_new_tls_session_rate_limit = 0
smtpd_enforce_tls = no
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_starttls_timeout = 300s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
tls_daemon_random_bytes = 32
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_high_cipherlist = !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH
tls_low_cipherlist = !EXPORT:ALL:+RC4:@STRENGTH
tls_medium_cipherlist = !EXPORT:!LOW:ALL:+RC4:@STRENGTH
tls_null_cipherlist = !aNULL:eNULL+kRSA
tls_random_bytes = 32
tls_random_exchange_name = ${config_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom

Once you have verified this information edit the main.cf file and add these lines:
smtpd_tls_cert_file=/etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file=/etc/pki/dovecot/private/dovecot.pem
smtpd_use_tls=yes

Note that the keys have been developed with the default location for Dovecot and the name  of dovecot.pem.  The important point is that the location be exactly the same for Postfix and Dovecot.  That is all you need to do for Postfix.  Reload Postfix.

By using the netstat command you will be able to verify the listening ports that dovecot is using.

Introduction to TLS and SSL

Posted by Filed Under Dovecot with 1 Comment

TLS or Transport Layer Security is a protocol that is encrypted and is a close relative of SSL.  Actually TLS has developed from SSL and has backward compatibility.  SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing.   The OpenSSL project, http://openssl.org  is an organization working to develop a cryptography library based on SSL v2/v3 and TLS v1.

What the Process of TLS or SSL Provides
1. TLS and SSL Provides – Authentication – the SSL server authentication allows a user to verify the server identity. The use of public-key cryptology allows a client to verify that the server has a valid certificate and public ID and that it has been issued a certificate of authority (CA). The client can hold a list of trusted CAs.
2. TLS  and SSL Provides Verification of the User - the user is verified in the process in the same way as the server and using the same methods as the server verification.
3. TLS and SSL Provides Encryption – the entire communication between the client and the server is encrypted.

Installation of TLS or SSL Communication
At times it is important to encrypt the communication between the server and the client in order to protect the data that is being transferred. SSL, Secure Socket Layer ins enabled on Apache using the mod_ssl module. Once SSL has been enabled on Apache secure communication will occur over port 443 using the https:// in the browser.   Note this is encrypted communication based on the 443 port where TLS is encrypted communication based on port 993.  The focus at this point is creating encryption for Dovecot so the TLS application will be described not the implementation of SSL for port 443.