PFS / Letsencrypt for Postfix/Dovecot/PureFTPd/mariadb

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    If you have your hosts FQDN in ISPConfig and made a valid Letsencrpyt-Cert for it, you can use it for mail, too.
    as described in https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/

    use the guid mentioned above for your fqdn certs, don't use the paths I have chosen here , I'll update if I have time...however, it works together

    update your config files for dovecot,postfix and pureftp using this script:

    /usr/local/bin/fixserviceconfigs.sh
    Code:
    #!/bin/sh
    hostname=`hostname -f`
    postconf -e "smtp_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem"
    postconf -e "smtpd_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem"
    postconf -e "smtpd_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem"
    postconf -e "smtpd_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem"
    postconf -e "smtp_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem"
    postconf -e "smtp_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem"
    postconf -e "tls_preempt_cipherlist      = yes"
    postconf -e "smtpd_tls_mandatory_ciphers = high"
    postconf -e "smtpd_use_tls = yes"
    postconf -e "smtpd_tls_security_level = may"
    postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
    postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3"
    postconf -e "tlsproxy_tls_protocols = \$smtpd_tls_protocols"
    postconf -e "tlsproxy_tls_mandatory_protocols = \$smtpd_tls_mandatory_protocols"
    postconf -e "smtp_tls_protocols = !SSLv2,!SSLv3"
    postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3"
    postconf -e "lmtp_tls_protocols = !SSLv2,!SSLv3"
    postconf -e "lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3"
    postconf -e "smtpd_tls_ciphers = medium"
    postconf -e "smtp_tls_ciphers = medium"
    postconf -e "smtpd_tls_eecdh_grade = strong"
    postconf -e "smtpd_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL"
    postconf -e "smtp_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL"
    
    postconf -e "smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache"
    postconf -e "smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache"
    postconf -e "smtpd_tls_dh1024_param_file = \${config_directory}/dh2048.pem"
    postconf -e "smtpd_tls_dh512_param_file = \${config_directory}/dh512.pem"
    
    postconf -e "policyd-spf_time_limit = 3600"
    postconf -e "opendmarc_milter = unix:var/run/opendmarc/opendmarc.sock"
    postconf -e "smtputf8_enable = no"
    postconf -e "bounce_notice_recipient = [email protected]$hostname"
    
    postfix_master_conf=`cat /etc/postfix/master.cf`
    if [[ $postfix_master_conf != *"policyd-spf"* ]]; then
        postconf -M policyd-spf/spawn="policyd-spf  unix  -       n       n       -       0       spawn user=nobody argv=/usr/bin/policyd-spf"
    fi
    
    postconf -e "policyd-spf_time_limit = 3600"
    smtpd_recipient_restrictions=`postconf -p smtpd_recipient_restrictions`
    if [[ $smtpd_recipient_restrictions != *"check_policy_service unix:private/policyd-spf,"* ]]; then
        sed -i 's/reject_unauth_destination,/reject_unauth_destination,check_policy_service unix:private\/policyd-spf,/' /etc/postfix/main.cf
    fi
    postconf -P "smtp/inet/smtpd_milters=\${opendmarc_milter}"
    postconf -e "opendmarc_milter=unix:var/run/opendmarc/opendmarc.sock"
    
    echo 'HIGH:!CAMELLIA' > /etc/pure-ftpd/conf/TLSCipherSuite
    
    dovecot_conf=`cat /etc/dovecot/dovecot.conf`
    if [[ $dovecot_conf != *"!include conf.d/10-ssl.conf"* ]]; then
        echo "!include conf.d/10-ssl.conf" >> /etc/dovecot/dovecot.conf
    fi
    
    /usr/sbin/service postfix reload
    /usr/sbin/service dovecot restart
    /usr/sbin/service pure-ftpd-mysql restart
    
    Modify /etc/dovecot/conf.d/10-ssl.conf
    Code:
    ssl = yes
    ssl_cert = </etc/letsencrypt/live/<FQDN>fullchain.pem
    ssl_key = </etc/letsencrypt/live/<FQDN>/privkey.pem
    ssl_dh_parameters_length = 2048
    ssl_protocols = !SSLv3
    ssl_cipher_list = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv3
    ssl_prefer_server_ciphers = yes
    
    it can be used using incron on dovecot.conf ect. so these settings won't get overwritten for a long time

    If you run postfix in chroot, well you need to copy some files of course.


    Add a cronjob /etc/cron.daily/fixcerts ( change <FQDN> again )
    Code:
    #!/bin/sh
    cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/ssl/private/pure-ftpd.pem
    #cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/monit/monit.pem
    #chmod 600 /etc/monit/monit.pem
    
    chmod 600 /etc/ssl/private/pure-ftpd.pem
    
    cd /etc/postfix
    umask 022
    openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
    openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
    openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
    chmod 644 dh512.pem dh1024.pem dh2048.pem
    openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
    rm /var/lib/dovecot/ssl-parameters.dat
    /usr/sbin/service postfix reload
    /usr/sbin/service dovecot restart
    /usr/sbin/service pure-ftpd-mysql restart
    
    You don't need the monit part, did I mention I'm lazy as f ;)...
    make it executable and run it at least one
    Code:
    chmod +x /etc/cron.daily/fixcerts
    /etc/cron.daily/fixcerts
    

    so what about mysql?
    This works for mariadb 10.3 using debian 9
    assuming the ispcerts have been symlinked according to your script.

    Code:
    cp /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/mysql/mysql.pem
    openssl rsa -in /usr/local/ispconfig/interface/ssl/ispserver.key -out /etc/mysql/mysql.crt
    chown mysql:mysql /etc/mysql/mysql.crt
    chown mysql:mysql /etc/mysql/mysql.pem
    chmod 400 /etc/mysql/mysql.crt
    chmod 400 /etc/mysql/mysql.pem
    
    and no, you can't simply symlink those, it won't read.

    change your /etc/mysql/mariadb.conf.d/50-server.cnf
    service mysql restart
     
    Last edited: Jul 20, 2018
  2. Rabenkind

    Rabenkind Member

    Hi,
    as you can see i have a related dovecot/postfix issue. The problem with your setup is it will break after an ISPConfig update as the dovecot.conf and the postfix/main.cf get replaced/overwritten.

    I also would recommend leaving the paths to the certificates unchanged and create a symlink at the path of the certificates that points to the letsencrypt directory.
     
    ztk.me likes this.
  3. Jesse Norell

    Jesse Norell Well-Known Member

    You can make changes persistent by copying ISPConfig conf files to conf-custom files and making the changes there.
     
    ztk.me likes this.
  4. Rabenkind

    Rabenkind Member

    that is exactly what isn't working in my case. But nevermind, maybe busines-support can handle it.
     
  5. Jesse Norell

    Jesse Norell Well-Known Member

    I've made conf-custom files for both postfix and dovecot and they worked; make sure you have the correct filename as sometimes there are several similar ones and it's not always clear exactly which you need without testing it.

    Yes, likely so
     
  6. Racing-Ralph

    Racing-Ralph New Member

    Hello,

    I go a letsencrypt Certificate for mydomain.de.
    When I made the changes I get an Error when I test the mailserver.

    Cert Hostname DOES NOT VERIFY (mail. mydomain.de != mydomain. de | DNS:mydomain. de | DNS:www. mydomain .de)

    Do I have to make additional changes in DNS configuartion with the hoster oder any changes on my configs ?

    regards,
    Ralph
     
  7. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    if the cert doesn't match it's not the same ;)

    your server has a hostname, maybe a seperate mailname. The mailname is set in postfix' main.cf and should be the same name as
    the IPs reverse DNS is resolving to.
    And for that name you'll need a SSL cert which can then be used. If you use the mailname to connect to your mailserver, there shouldn't be a cert issue.
     
  8. Racing-Ralph

    Racing-Ralph New Member

    OK,

    in main.cf there are two sections

    myhostsname sxxxxx.providernameverver.de

    mydestination = sxxxxx.providernameverver.de, localhost, localhost.localdomain

    My domain ist mydomain.de

    where should I change.
     
  9. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    I assume numbers where the x are. Unfortunally having numbers as part of subdomains often triggers dial-up anti-spam filters.
    Basically you shouldn't need to change anything there, just create a LE cert ( create a website, tick SSL/LE ) and use it for your services.

    You can change it to something like mail.yourdomain.de , you need to have a valid A/AAAA record for mail.yourdomain.de ; RDNS of the IP should point to mail.yourdomain.de and then change the sxxx entry to mail.yourdomain.de & make sure your mailserver greets you with that name.
     
  10. Racing-Ralph

    Racing-Ralph New Member

    The numbers are given from the provider in order to use it before any domain ist registered (i think)

    I created the LE cert with ispconfig and pointed it to postfix, there are some tutorials here, so I thougt I can use ist for mail and the Server itself. They even write ist so. LE also provides wildcard certificates, maybe I should use this, but how.
    I changed in the main.cnf (postfix) to mail.mydomain.de nothing changes, same error.

    I think the reverse lookup gives the mydomain.de and not mail.mydomain.de

    I have in the dns configuration only a A record, there never has been AAAA record.

    So your idea is to create with ispconfig a site with mail.mydomain.de and create the LE/SSL. Then point postfix certificate to the live cert in LE ?

    regards, Ralph
     
  11. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    yes, but this one is actually a good idea to consider:
    if you don't take part of the glorious ip-future, you don't have to use AAAA :)
    if you can't change the reverse DNS entry of your IP, don't change the greeting of your MTA - it has to match. Ask your provider, some have no function for that using their web interface but do change it on request ( if you want to change the default that is )

    edit: oh and this one:
    didn't know this feature existed ... need to check it - would be happy as f :) ... yeah debian users loves the pain
     
    Last edited: May 25, 2018
  12. Racing-Ralph

    Racing-Ralph New Member

    Bingo, it works !!!!

    Thanks, hope that the renew also works.

    Have a nice weekend,
    Ralph
     
    ztk.me likes this.
  13. Racing-Ralph

    Racing-Ralph New Member

    Hy,

    I got now a new Problem after all seems to work fine.

    After I checked my Domain with mxtoolbox I get an error.

    I enterd the test with mydomain.de

    smtp mail.mydomain.de Reverse DNS Resolution - No PTR Record found

    I dont know where to set the PTR record, is it made in the DNS konfiguation at the provider ?

    Ralph
     
  14. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    if you don't have an option to set your PTR/rDNS record you might need to contact your provider and ask to set it.
    you can check your current entry using
    Code:
    $dig +noall +answer -x 8.8.4.4
    
    which gives you google-public-dns-b.google.com. as rDNS:
     
    ahrasis likes this.
  15. Racing-Ralph

    Racing-Ralph New Member

    This commad does not work on may debian system

    The command gives a blank line back, seems the ptr is not set.

    maybe i have to ask the provider
     
    Last edited: May 28, 2018
  16. Racing-Ralph

    Racing-Ralph New Member

    I try to specify the Problem, I dont know if its right here in this Thread.

    I have a LE certificate for my domain mydomain.de
    An other LE for mail.mydomain.de
    I use a vserver and the internall servername is : v9339166.providernameverver.de

    I have more than one domain on it

    In the postfix main.cf is : myhostsname v9339166.providernameverver.de


    Now I got an error when sending mails :

    host mx00.kundenserver.de[212.227.15.xxx] refused to talk to me: 554-kundenserver.de (mxeue011) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=185.158.212.xxx
    May 28 13:25:00 v9339166 postfix/smtp[32275]: 7806A9E4A2: to=<[email protected]>, relay=mx01.kundenserver.de[217.72.192.xxx]:25, delay=0.09, delays=0.01/0.01/0.07/0, dsn=4.0.0, status=deferred (host mx01.kundenserver.de[217.72.192.xxx] refused to talk to me: 554-kundenserver.de (mxeue111) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=185.158.212.xxx)

    The MX record is :

    mydomain.de 3600 IN MX 10 mail.mydomain.de

    TX record
    mydoman.de 3600 IN TX 0 v=spf1 mx a a:mx.providername.de ~all
     
  17. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    it is all correct - and you're right, you may not have a PTR record at all, go speak with your provider.
    and read the logs... it screams
     
  18. Racing-Ralph

    Racing-Ralph New Member

    I contacted my provider and he showed me to configure the PTR.

    Right now all workes fine.:)

    Thanks, Ralph
     
    ztk.me likes this.
  19. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    I have not found anything I could abuse to make ispconfig be aware on few config options for postfix, maybe need a custom-conf plugin like for php/apache...

    However I changed the cron slightly:
    Code:
    #!/bin/sh
    hostname="<fqdn>"
    postconf -e "smtp_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem"
    postconf -e "smtpd_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem"
    postconf -e "smtpd_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem"
    postconf -e "smtpd_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem"
    postconf -e "smtp_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem"
    postconf -e "smtp_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem"
    postconf -e "tls_preempt_cipherlist      = yes"
    postconf -e "smtpd_tls_mandatory_ciphers = high"
    postconf -e "smtpd_use_tls = yes"
    postconf -e "smtpd_tls_security_level = may"
    postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
    postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3"
    postconf -e "tlsproxy_tls_protocols = \$smtpd_tls_protocols"
    postconf -e "tlsproxy_tls_mandatory_protocols = \$smtpd_tls_mandatory_protocols"
    postconf -e "smtp_tls_protocols = !SSLv2,!SSLv3"
    postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3"
    postconf -e "lmtp_tls_protocols = !SSLv2,!SSLv3"
    postconf -e "lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3"
    postconf -e "smtpd_tls_ciphers = medium"
    postconf -e "smtp_tls_ciphers = medium"
    postconf -e "smtpd_tls_eecdh_grade = strong"
    postconf -e "smtpd_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL"
    postconf -e "smtp_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL"
    
    postconf -e "smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache"
    postconf -e "smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache"
    postconf -e "smtpd_tls_dh1024_param_file = \${config_directory}/dh2048.pem"
    postconf -e "smtpd_tls_dh512_param_file = \${config_directory}/dh512.pem"
    
    echo 'HIGH:!CAMELLIA' > /etc/pure-ftpd/conf/TLSCipherSuite
    cat /etc/letsencrypt/live/$hostname/privkey.pem /etc/letsencrypt/live/$hostname/cert.pem > /etc/ssl/private/pure-ftpd.pem
    cat /etc/letsencrypt/live/$hostname/privkey.pem /etc/letsencrypt/live/$hostname/cert.pem > /etc/monit/monit.pem
    chmod 600 /etc/monit/monit.pem
    
    chmod 600 /etc/ssl/private/pure-ftpd.pem
    
    cd /etc/postfix
    umask 022
    openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
    openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
    openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
    chmod 644 dh512.pem dh1024.pem dh2048.pem
    openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
    
    /usr/sbin/service postfix reload
    /usr/sbin/service dovecot reload
    /usr/sbin/service pure-ftpd-mysql restart
    

    sure I would not really need that as admin, but if you setup a server for someone and he does some updates ... it's easier to tell him just to run the cron or simply wait ^^
     
  20. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    editbump: added mysql
     
    Jesse Norell likes this.

Share This Page