Posts Tagged TLS
Posted by mike Filed Under Mail Client with Comments Off
Configure Microsoft Outlook Express with TLS and SMTP_AUTH. This is a common issue that can be overlooked by administrators for users who insist on using Outlook Express. The set up for secure login and sending email is not intuitive.
For more information on how to configure Postfix you can consider Postfix Self-Directed Course or the Postfix Live Course.
First you need to create the account, so choose Tools-Accounts-Add. The Display name is simply how it will look in the list.
Enter the full email address here.
Select IMAP for your mail server. This gives you a number of options in that you can access your mail in several different ways, web based or on your desktop. Your mail server must have a FQDN, Fully Qualified Domain Name, in other words three parts separated by periods, the hostname and the domain. If you do not know the mail server name find out before you continue. The outgoing mail server must also be listed and they are typically the same.
Provide an account name, again this will typically be the full email address, so this could be test@example.com. Enter your password if you want to have it check that automatically.
This will complete the first stage.
Once it is created, right click the account and choose properties. Now fill in the email address if not done so already.
Go the Server tab and be sure the incoming and outgoing mail is set. Also verify the email address and that you have the password set if you want it to be automatic.
At the bottom of the page you see the “Outgoing Mail Server”, check this box and select Settings. Your email account can be used to authenticate when you send email. This is the SMTP_AUTH, what this does is allows only people with email accounts on the server to send email. In other words, this is what stops spammers from using your mail server as a relay but allows you to send email.
Now go to the Advanced tab. Make sure your mail is going out on port 25 and you have selected the SSL option, as you see. Also, be sure to select 993 for incoming and SSL. What this does is provide encrypted communication between the user and your mail server.
That completes the Microsoft Outlook Express configuration. Now you can allow those Microsoft users to start enjoying the security and stability of Postfix.
Posted by mike Filed Under Dovecot with 1 Comment
Check for TLS Support in Postfix
By running this command you can verify that TLS is supported by your version of Postfix. Each of these parameters should exist.
# postconf -d | grep tls
lmtp_enforce_tls = no
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_starttls_timeout = 300s
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_cert_file =
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_scert_verifydepth = 5
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
smtp_enforce_tls = no
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 5
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtpd_client_new_tls_session_rate_limit = 0
smtpd_enforce_tls = no
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_starttls_timeout = 300s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
tls_daemon_random_bytes = 32
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_high_cipherlist = !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH
tls_low_cipherlist = !EXPORT:ALL:+RC4:@STRENGTH
tls_medium_cipherlist = !EXPORT:!LOW:ALL:+RC4:@STRENGTH
tls_null_cipherlist = !aNULL:eNULL+kRSA
tls_random_bytes = 32
tls_random_exchange_name = ${config_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
Once you have verified this information edit the main.cf file and add these lines:
smtpd_tls_cert_file=/etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file=/etc/pki/dovecot/private/dovecot.pem
smtpd_use_tls=yes
Note that the keys have been developed with the default location for Dovecot and the name of dovecot.pem. The important point is that the location be exactly the same for Postfix and Dovecot. That is all you need to do for Postfix. Reload Postfix.
By using the netstat command you will be able to verify the listening ports that dovecot is using.
Posted by mike Filed Under Dovecot with 1 Comment
TLS or Transport Layer Security is a protocol that is encrypted and is a close relative of SSL. Actually TLS has developed from SSL and has backward compatibility. SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing. The OpenSSL project, http://openssl.org is an organization working to develop a cryptography library based on SSL v2/v3 and TLS v1.
What the Process of TLS or SSL Provides
1. TLS and SSL Provides – Authentication – the SSL server authentication allows a user to verify the server identity. The use of public-key cryptology allows a client to verify that the server has a valid certificate and public ID and that it has been issued a certificate of authority (CA). The client can hold a list of trusted CAs.
2. TLS and SSL Provides Verification of the User - the user is verified in the process in the same way as the server and using the same methods as the server verification.
3. TLS and SSL Provides Encryption – the entire communication between the client and the server is encrypted.
Installation of TLS or SSL Communication
At times it is important to encrypt the communication between the server and the client in order to protect the data that is being transferred. SSL, Secure Socket Layer ins enabled on Apache using the mod_ssl module. Once SSL has been enabled on Apache secure communication will occur over port 443 using the https:// in the browser. Note this is encrypted communication based on the 443 port where TLS is encrypted communication based on port 993. The focus at this point is creating encryption for Dovecot so the TLS application will be described not the implementation of SSL for port 443.
Posted by mike Filed Under Mail Client with Comments Off
If you want to use TLS, encrypted communication between the server and client, you will be very frustrated with Linux options. Evolution will not recognize port 993 or 995 which are used with TLS. Thunderbird is supposed to work, but I could never get it to connect correctly. An excellent option is Zimbra Desktop. You can download Zimbra Desktop from HERE
If you choose to install in Linux you will need to execute the command to install for each user.
sh zdesktop_0_90_build_1278_linux_i686.sh
This will execute the script and it will begin installation.
Be sure to set up a Desktop icon so it is easy to start.
One nice feature is you can add a number of web clients and combine them all into the desktop. In other words, you can manage all of your email accounts into one.
If you want to set up TLS select IMAP and port 993 to connect securely to your mail server.
Copyright CyberMontana Inc. and Postfixmail.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874
