Transport Layer Security (TLS)

• RFC 5246

Building the PEM file

• Read the Postfix Manual on creating keys
• Or with Apache on creating a CA and keys on Fedora

Before you build the file you need to modify /etc/pki/tls/openssl.cnf. In this file you need to update the following BOLD text.

countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Minnesota

localityName                    = Locality Name (eg, city)
localityName_default            = Saint Paul

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = The Milly Server

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = milly.example.com

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
commonName_default              = milly.example.com

emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = [email protected]

To build the CA run

cd /etc/pki/tls/misc
./CA -newca

cd /etc/postfix
openssl req -new -nodes -keyout postfix-key.pem -out postfix-req.pem -days 365

cd /etc/pki/tls/misc
openssl ca -out postfix-cert.pem -infiles /etc/postfix/postfix-req.pem

cp /etc/pki/CA/cacert.pem /etc/postfix/postfix-cacert.pem
cp /etc/pki/tls/misc/postfix-cert.pem /etc/postfix/postfix-cert.pem
chmod 644 /etc/postfix/postfix-cert.pem /etc/postfix/postfix-cacert.pem
chmod 400 /etc/postfix/postfix-key.pem

TLS with Postfix

• Also make sure you read the Postfix TLS README file.

Postfix (like Apache) needs both a public key certificate and the corresponding private key. These can be stored in quite a variety of product dependent ways. The following are supported by Postfix.

1. Root owned mode 0600 (typically RSA) private key in PEM format
   1. Separate, root owned mode 0644 certificate file in PEM format, with any intermediate CA certs listed after the server cert, depth first.
2. Root owned mode 0600 (typically RSA) private key in PEM format also containing the server cert and any intermediate CA certs as above.

The following are NOT supported:

• Password protected private key
• Private key or server cert in DER format
• Server cert trust chain in PKCS#7 file (PEM or DER)
• Private key and cert trust chain in PKCS#12 file (DER or PEM)
• Intermediate CA certs stored stored separately, one PEM file per CA.

If Apache uses option "1" or "2" from above, you can share the keys directly, otherwise you can convert the Apache keys from their native format to "1" or "2".

The conversion utilities are:

openssl rsa:	private key DER -> PEM
openssl x509:	certificate DER -> PEM
openssl pkcs7:	trust chain PKCS7 to PEM trust chain
openssl pkcs12:	key and trust chain -> PEM key and certs

In Windows land, all files are DER (binary ASN.1 not PEM) format and:

single cert 	== .cer file
PKCS#7 chain	== .spc file
PKCS#12 	== .pfx file

Setting up TLS with Postfix

Now in /etc/postfix/main.cf add the following to enable TLS.

• /etc/postfix/main.cf

# TLS Support for inbound email
smtpd_tls_cert_file = /etc/postfix/smtpd-cert.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 86400s
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
# TLS Support for outbound email
smtp_tls_CAfile = /etc/pki/tls/cert.pem
smtp_tls_note_starttls_offer = yes
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 86400s
smtp_tls_security_level = may

Using a Directory of CA's

Add smtp_tls_CApath & smtpd_tls_CApath directives to your main.cf

• /etc/postfix/main.cf

smtp_tls_CApath = ${config_directory}/SSL/certs
smtpd_tls_CApath = ${config_directory}/SSL/certs

you will need to run the following whenever you add CA's to this directory.

/usr/bin/c_rehash /etc/postfix/SSL/certs/

TLS Fingerprint

To display the fingerprint run:

openssl x509 -md5 -fingerprint -in /etc/postfix/postfix-cert.pem -noout

TLS with Dovecot

SSL and TLS terms are often used in confusing ways:

• SSL (Secure Sockets Layer) is the original protocol implementation. SSLv3 is still allowed by Dovecot, but it's rarely used. Some clients use SSL to mean that they're going to connect to the imaps port (993), although they're still going to use TLSv1 protocol.
• TLS (Transport Layer Security) replaced the SSL protocol. TLSv1 protocol is used practically always nowadays. Some clients use TLS to mean that they're going to use STARTTLS command after connecting to the standard imap port (143). Nothing would prevent using SSLv3 protocol after STARTTLS command.

SSL term is much more widely understood than TLS, so Dovecot configuration and Dovecot's wiki documentation only talks about SSL when in fact they means both SSL/TLS.

• Dovecot uses OpenSSL, so whatever information you find about it applies also to Dovecot.

Troubleshooting TLS

To connect to a server using TLS run something like this:

openssl s_client -connect samantha.mattrude.com:587 -starttls smtp

• http://www.g-loaded.eu/2005/11/10/be-your-own-ca/