Transport Layer Security (TLS)
Building the PEM file[edit | edit source]
Before you build the file you need to modify /etc/pki/tls/openssl.cnf. In this file you need to update the following BOLD text.
countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Minnesota localityName = Locality Name (eg, city) localityName_default = Saint Paul 0.organizationName = Organization Name (eg, company) 0.organizationName_default = The Milly Server organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = milly.example.com commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = milly.example.com emailAddress = Email Address emailAddress_max = 64 emailAddress_default = [email protected]
To build the CA run
cd /etc/pki/tls/misc ./CA -newca
cd /etc/postfix openssl req -new -nodes -keyout postfix-key.pem -out postfix-req.pem -days 365
cd /etc/pki/tls/misc openssl ca -out postfix-cert.pem -infiles /etc/postfix/postfix-req.pem
cp /etc/pki/CA/cacert.pem /etc/postfix/postfix-cacert.pem cp /etc/pki/tls/misc/postfix-cert.pem /etc/postfix/postfix-cert.pem chmod 644 /etc/postfix/postfix-cert.pem /etc/postfix/postfix-cacert.pem chmod 400 /etc/postfix/postfix-key.pem
TLS with Postfix[edit | edit source]
- Also make sure you read the Postfix TLS README file.
Postfix (like Apache) needs both a public key certificate and the corresponding private key. These can be stored in quite a variety of product dependent ways. The following are supported by Postfix.
- Root owned mode 0600 (typically RSA) private key in PEM format
- Separate, root owned mode 0644 certificate file in PEM format, with any intermediate CA certs listed after the server cert, depth first.
- Root owned mode 0600 (typically RSA) private key in PEM format also containing the server cert and any intermediate CA certs as above.
The following are NOT supported:
- Password protected private key
- Private key or server cert in DER format
- Server cert trust chain in PKCS#7 file (PEM or DER)
- Private key and cert trust chain in PKCS#12 file (DER or PEM)
- Intermediate CA certs stored stored separately, one PEM file per CA.
If Apache uses option "1" or "2" from above, you can share the keys directly, otherwise you can convert the Apache keys from their native format to "1" or "2".
The conversion utilities are:
openssl rsa: private key DER -> PEM openssl x509: certificate DER -> PEM openssl pkcs7: trust chain PKCS7 to PEM trust chain openssl pkcs12: key and trust chain -> PEM key and certs
In Windows land, all files are DER (binary ASN.1 not PEM) format and:
single cert == .cer file PKCS#7 chain == .spc file PKCS#12 == .pfx file
Setting up TLS with Postfix[edit | edit source]
Now in /etc/postfix/main.cf add the following to enable TLS.
- /etc/postfix/main.cf
# TLS Support for inbound email smtpd_tls_cert_file = /etc/postfix/smtpd-cert.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 86400s smtpd_tls_loglevel = 1 smtpd_tls_security_level = may # TLS Support for outbound email smtp_tls_CAfile = /etc/pki/tls/cert.pem smtp_tls_note_starttls_offer = yes smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_timeout = 86400s smtp_tls_security_level = may
Using a Directory of CA's[edit | edit source]
Add smtp_tls_CApath & smtpd_tls_CApath directives to your main.cf
- /etc/postfix/main.cf
smtp_tls_CApath = ${config_directory}/SSL/certs smtpd_tls_CApath = ${config_directory}/SSL/certs
you will need to run the following whenever you add CA's to this directory.
/usr/bin/c_rehash /etc/postfix/SSL/certs/
TLS Fingerprint[edit | edit source]
To display the fingerprint run:
openssl x509 -md5 -fingerprint -in /etc/postfix/postfix-cert.pem -noout
TLS with Dovecot[edit | edit source]
SSL and TLS terms are often used in confusing ways:
- SSL (Secure Sockets Layer) is the original protocol implementation. SSLv3 is still allowed by Dovecot, but it's rarely used. Some clients use SSL to mean that they're going to connect to the imaps port (993), although they're still going to use TLSv1 protocol.
- TLS (Transport Layer Security) replaced the SSL protocol. TLSv1 protocol is used practically always nowadays. Some clients use TLS to mean that they're going to use STARTTLS command after connecting to the standard imap port (143). Nothing would prevent using SSLv3 protocol after STARTTLS command.
SSL term is much more widely understood than TLS, so Dovecot configuration and Dovecot's wiki documentation only talks about SSL when in fact they means both SSL/TLS.
Troubleshooting TLS[edit | edit source]
To connect to a server using TLS run something like this:
openssl s_client -connect samantha.mattrude.com:587 -starttls smtp