Transport Layer Security (TLS)


 * RFC 5246

Building the PEM file
Before you build the file you need to modify /etc/pki/tls/openssl.cnf. In this file you need to update the following BOLD text.
 * Read the Postfix Manual on creating keys
 * Or with Apache on creating a CA and keys on Fedora

countryName                    = Country Name (2 letter code) countryName_default            = US countryName_min                = 2 countryName_max                = 2 stateOrProvinceName            = State or Province Name (full name) stateOrProvinceName_default    = Minnesota localityName                   = Locality Name (eg, city) localityName_default           = Saint Paul 0.organizationName             = Organization Name (eg, company) 0.organizationName_default     = The Milly Server organizationalUnitName         = Organizational Unit Name (eg, section) organizationalUnitName_default = milly.example.com commonName                     = Common Name (eg, your name or your server\'s hostname) commonName_max                 = 64 commonName_default             = milly.example.com emailAddress                   = Email Address emailAddress_max               = 64 emailAddress_default           = postmaster@example.com To build the CA run cd /etc/pki/tls/misc ./CA -newca

cd /etc/postfix openssl req -new -nodes -keyout postfix-key.pem -out postfix-req.pem -days 365

cd /etc/pki/tls/misc openssl ca -out postfix-cert.pem -infiles /etc/postfix/postfix-req.pem

cp /etc/pki/CA/cacert.pem /etc/postfix/postfix-cacert.pem cp /etc/pki/tls/misc/postfix-cert.pem /etc/postfix/postfix-cert.pem chmod 644 /etc/postfix/postfix-cert.pem /etc/postfix/postfix-cacert.pem chmod 400 /etc/postfix/postfix-key.pem

TLS with Postfix

 * Also make sure you read the Postfix TLS README file.

Postfix (like Apache) needs both a public key certificate and the corresponding private key. These can be stored in quite a variety of product dependent ways. The following are supported by Postfix.

The following are NOT supported:
 * 1) Root owned mode 0600 (typically RSA) private key in PEM format
 * 2) Separate, root owned mode 0644 certificate file in PEM format, with any intermediate CA certs listed after the server cert, depth first.
 * 3) Root owned mode 0600 (typically RSA) private key in PEM format also containing the server cert and any intermediate CA certs as above.
 * Password protected private key
 * Private key or server cert in DER format
 * Server cert trust chain in PKCS#7 file (PEM or DER)
 * Private key and cert trust chain in PKCS#12 file (DER or PEM)
 * Intermediate CA certs stored stored separately, one PEM file per CA.

If Apache uses option "1" or "2" from above, you can share the keys directly, otherwise you can convert the Apache keys from their native format to "1" or "2".

The conversion utilities are: openssl rsa:	private key DER -> PEM openssl x509:	certificate DER -> PEM openssl pkcs7:	trust chain PKCS7 to PEM trust chain openssl pkcs12:	key and trust chain -> PEM key and certs In Windows land, all files are DER (binary ASN.1 not PEM) format and: single cert 	== .cer file PKCS#7 chain	== .spc file PKCS#12 	== .pfx file

Setting up TLS with Postfix
Now in /etc/postfix/main.cf add the following to enable TLS. smtpd_tls_cert_file = /etc/postfix/smtpd-cert.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 86400s smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtp_tls_CAfile = /etc/pki/tls/cert.pem smtp_tls_note_starttls_offer = yes smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_timeout = 86400s smtp_tls_security_level = may
 * /etc/postfix/main.cf
 * 1) TLS Support for inbound email
 * 1) TLS Support for outbound email

Using a Directory of CA's
Add smtp_tls_CApath & smtpd_tls_CApath directives to your main.cf smtp_tls_CApath = ${config_directory}/SSL/certs smtpd_tls_CApath = ${config_directory}/SSL/certs you will need to run the following whenever you add CA's to this directory. /usr/bin/c_rehash /etc/postfix/SSL/certs/
 * /etc/postfix/main.cf

TLS Fingerprint
To display the fingerprint run: openssl x509 -md5 -fingerprint -in /etc/postfix/postfix-cert.pem -noout

TLS with Dovecot
SSL and TLS terms are often used in confusing ways:


 * SSL (Secure Sockets Layer) is the original protocol implementation. SSLv3 is still allowed by Dovecot, but it's rarely used. Some clients use SSL to mean that they're going to connect to the imaps port (993), although they're still going to use TLSv1 protocol.
 * TLS (Transport Layer Security) replaced the SSL protocol. TLSv1 protocol is used practically always nowadays. Some clients use TLS to mean that they're going to use STARTTLS command after connecting to the standard imap port (143). Nothing would prevent using SSLv3 protocol after STARTTLS command.

SSL term is much more widely understood than TLS, so Dovecot configuration and Dovecot's wiki documentation only talks about SSL when in fact they means both SSL/TLS.
 * Dovecot uses OpenSSL, so whatever information you find about it applies also to Dovecot.

Troubleshooting TLS
To connect to a server using TLS run something like this: openssl s_client -connect samantha.mattrude.com:587 -starttls smtp
 * http://www.g-loaded.eu/2005/11/10/be-your-own-ca/