CentOS 7 – Securing the mail server using SSL/TLS

How to Activate Windows Server 2019

SSL/TLS encryption for Postfix gives our mail server the capacity to not only authenticate remote SMTP servers but also to encrypt the e-mails that we send between our server and the receiver’s server.

To configure SSL to encrypt connections, we first need to create our own personalized and specific SSL certificates.

We need to go the TLS certificates directory to create our new certificate there:


$ cd /etc/pki/tls/certs/

Then we create our first key file:


$ sudo openssl genrsa -des3 -out mailserver.key 2048

Then the tool will ask for a passphrase. We should give something strong and retype it when the tool asks us to do so.

After that we need to start using the OpenSSL tool; so if it is not installed we need to install it first:


$ sudo yum install openssl

Then we use OpenSSL to write the RSA key:


$ sudo openssl rsa -in server.key -out server.key

Then write in the passphrase that has already defined and carry on to have the key generated.

Now we move on to certificate creation. In the same folder, we run the following command:


$ sudo make mailserver.csr

Then we fill in the information as each filed asked: Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, and Email Address and for the final two entries (A challenge password, and an optional company name) we can skip them.

Then we create a private key using OpenSSL:


$ sudo openssl x509 -in mailserver.csr -out server.crt -req -signkey mailserver.key -days 3650 –sha256

Then we move to the configuring Postfix and Dovecot to use the SSL/TLS encryption.

First, we are going to start by setting up Postfix to use SSL/TLS by making some modifications at its main configuration file, /etc/postfix/main.cf. We can always use a text editor to edit the file and change the parameters, or we can just use the command postconf -e to set them up in a faster way.

We will add some lines to the Postfix configuration file to protect it from some recent attacks against OpenSSL:


$ sudo nano "/etc/postfix/main.cf
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3

We create the cert file:


$ cd /etc/ssl/private/
$ sudo openssl dhparam -out dhparams.pem 2048
$ sudo chmod 600 dhparams.pem

Then we need to make sure that the TLS is enabled to be used with SMTP:


$ sudo postconf -e 'smtpd_use_tls = yes'

Then we need to redefine the certificate and key files position:


$ sudo postconf -e 'smtpd_tls_cert_file = /etc/pki/tls/certs/mailserver.crt'
$ sudo postconf -e 'smtpd_tls_key_file = /etc/pki/tls/certs/mailserver.key'

Then we set the location of the TLS session database cache:


$ sudo postconf -e 'smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache'

That is all for the main configuration file. We will now configure /etc/postfix/master.cf:


$ sudo nano /etc/postfix/master.cf

We need to uncomment some options of Submission and SMTPS between lines 16 to 35 of the original file, to look like the following uncommented:

submission     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

smtps       inet   n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

We have finished with the Postfix configuration to use SSL. We can now configure SSL for Dovecot. We only need to make a few changes at the /etc/dovecot/conf.d/10-ssl.conf file:


$ sudo nano /etc/dovecot/conf.d/10-ssl.conf

First, we need to make sure that the SSL option is activated:

# Line8: change it to yes 
ssl = yes

Then we change the SSL certificate and key location:

# Line 14, 15: change the files location to the new one
ssl_cert = </etc/pki/tls/certs/mailserver.crt
ssl_key = </etc/pki/tls/certs/mailserver.key

And, finally, we need to restart the services to submit the change:


$ sudo systemctl restart postfix.service
$ sudo systemctl restart dovecot.service

Comments are closed.