PFS / Letsencrypt for Postfix/Dovecot/PureFTPd

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    If you have your hosts FQDN in ISPConfig and made a valid Letsencrpyt-Cert for it, you can use it for mail, too.

    make changes to /etc/postfix/main.cf ( replace <FQDN> with your ssl / mailnames domain name )
    Code:
    # TLS parameters
    smtp_tls_CAfile = /etc/letsencrypt/live/<FQDN>/chain.pem
    smtpd_tls_CAfile = /etc/letsencrypt/live/<FQDN>/chain.pem
    smtpd_tls_cert_file = /etc/letsencrypt/live/<FQDN>/fullchain.pem
    smtpd_tls_key_file = /etc/letsencrypt/live/<FQDN>/privkey.pem
    smtp_tls_cert_file = /etc/letsencrypt/live/<FQDN>/fullchain.pem
    smtp_tls_key_file = /etc/letsencrypt/live/<FQDN>/privkey.pem
    tls_preempt_cipherlist      = yes
    smtpd_tls_mandatory_ciphers = high
    smtpd_use_tls = yes 
    smtpd_tls_security_level = may 
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    tlsproxy_tls_protocols = $smtpd_tls_protocols
    tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    lmtp_tls_protocols = !SSLv2,!SSLv3
    lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_ciphers = medium
    smtp_tls_ciphers = medium
    smtpd_tls_eecdh_grade = strong
    smtpd_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL
    smtp_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL
    
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
    smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
    
    make change to /etc/dovecot/dovecot.conf
    Code:
    !include conf.d/10-ssl.conf
    
    Modify /etc/dovecot/conf.d/10-ssl.conf
    Code:
    ssl = yes
    ssl_cert = </etc/letsencrypt/live/<FQDN>fullchain.pem
    ssl_key = </etc/letsencrypt/live/<FQDN>/privkey.pem
    ssl_dh_parameters_length = 2048
    ssl_protocols = !SSLv3
    ssl_cipher_list = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv3
    ssl_prefer_server_ciphers = yes
    
    If you run postfix in chroot, well you need to copy some files of course, except symlink is working for you.

    If you want, you can adjust TLSCiphersuite for pureftp
    Code:
    echo 'HIGH:!CAMELLIA' > /etc/pure-ftpd/conf/TLSCipherSuite
    
    Add a cronjob /etc/cron.daily/fixcerts ( change <FQDN> again )
    Code:
    #!/bin/sh
    cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/ssl/private/pure-ftpd.pem
    #cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/monit/monit.pem
    #chmod 600 /etc/monit/monit.pem
    
    chmod 600 /etc/ssl/private/pure-ftpd.pem
    
    cd /etc/postfix
    umask 022
    openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
    openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
    openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
    chmod 644 dh512.pem dh1024.pem dh2048.pem
    openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
    
    /usr/sbin/service postfix reload
    /usr/sbin/service dovecot reload
    /usr/sbin/service pure-ftpd-mysql restart
    
    You don't need the monit part, did I mention I'm lazy as f ;)...
    make it executable and run it at least one
    Code:
    chmod +x /etc/cron.daily/fixcerts
    /etc/cron.daily/fixcerts
    

    should perfectly work, if not I may have missed something - feel free to improve it as it certainly can't be perfect.
    Some of the stuff is mentioned in the forums but as I can see haven't been put together yet, if it's duplicate, I'm not sad if someone deletes redundant conent :) cheers
     
  2. Rabenkind

    Rabenkind Member

    Hi,
    as you can see i have a related dovecot/postfix issue. The problem with your setup is it will break after an ISPConfig update as the dovecot.conf and the postfix/main.cf get replaced/overwritten.

    I also would recommend leaving the paths to the certificates unchanged and create a symlink at the path of the certificates that points to the letsencrypt directory.
     
    ztk.me likes this.
  3. Jesse Norell

    Jesse Norell Well-Known Member

    You can make changes persistent by copying ISPConfig conf files to conf-custom files and making the changes there.
     
    ztk.me likes this.
  4. Rabenkind

    Rabenkind Member

    that is exactly what isn't working in my case. But nevermind, maybe busines-support can handle it.
     
  5. Jesse Norell

    Jesse Norell Well-Known Member

    I've made conf-custom files for both postfix and dovecot and they worked; make sure you have the correct filename as sometimes there are several similar ones and it's not always clear exactly which you need without testing it.

    Yes, likely so
     
  6. Racing-Ralph

    Racing-Ralph New Member

    Hello,

    I go a letsencrypt Certificate for mydomain.de.
    When I made the changes I get an Error when I test the mailserver.

    Cert Hostname DOES NOT VERIFY (mail. mydomain.de != mydomain. de | DNS:mydomain. de | DNS:www. mydomain .de)

    Do I have to make additional changes in DNS configuartion with the hoster oder any changes on my configs ?

    regards,
    Ralph
     
  7. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    if the cert doesn't match it's not the same ;)

    your server has a hostname, maybe a seperate mailname. The mailname is set in postfix' main.cf and should be the same name as
    the IPs reverse DNS is resolving to.
    And for that name you'll need a SSL cert which can then be used. If you use the mailname to connect to your mailserver, there shouldn't be a cert issue.
     
  8. Racing-Ralph

    Racing-Ralph New Member

    OK,

    in main.cf there are two sections

    myhostsname sxxxxx.providernameverver.de

    mydestination = sxxxxx.providernameverver.de, localhost, localhost.localdomain

    My domain ist mydomain.de

    where should I change.
     
  9. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    I assume numbers where the x are. Unfortunally having numbers as part of subdomains often triggers dial-up anti-spam filters.
    Basically you shouldn't need to change anything there, just create a LE cert ( create a website, tick SSL/LE ) and use it for your services.

    You can change it to something like mail.yourdomain.de , you need to have a valid A/AAAA record for mail.yourdomain.de ; RDNS of the IP should point to mail.yourdomain.de and then change the sxxx entry to mail.yourdomain.de & make sure your mailserver greets you with that name.
     
  10. Racing-Ralph

    Racing-Ralph New Member

    The numbers are given from the provider in order to use it before any domain ist registered (i think)

    I created the LE cert with ispconfig and pointed it to postfix, there are some tutorials here, so I thougt I can use ist for mail and the Server itself. They even write ist so. LE also provides wildcard certificates, maybe I should use this, but how.
    I changed in the main.cnf (postfix) to mail.mydomain.de nothing changes, same error.

    I think the reverse lookup gives the mydomain.de and not mail.mydomain.de

    I have in the dns configuration only a A record, there never has been AAAA record.

    So your idea is to create with ispconfig a site with mail.mydomain.de and create the LE/SSL. Then point postfix certificate to the live cert in LE ?

    regards, Ralph
     
  11. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    yes, but this one is actually a good idea to consider:
    if you don't take part of the glorious ip-future, you don't have to use AAAA :)
    if you can't change the reverse DNS entry of your IP, don't change the greeting of your MTA - it has to match. Ask your provider, some have no function for that using their web interface but do change it on request ( if you want to change the default that is )

    edit: oh and this one:
    didn't know this feature existed ... need to check it - would be happy as f :) ... yeah debian users loves the pain
     
    Last edited: May 25, 2018
  12. Racing-Ralph

    Racing-Ralph New Member

    Bingo, it works !!!!

    Thanks, hope that the renew also works.

    Have a nice weekend,
    Ralph
     
    ztk.me likes this.
  13. Racing-Ralph

    Racing-Ralph New Member

    Hy,

    I got now a new Problem after all seems to work fine.

    After I checked my Domain with mxtoolbox I get an error.

    I enterd the test with mydomain.de

    smtp mail.mydomain.de Reverse DNS Resolution - No PTR Record found

    I dont know where to set the PTR record, is it made in the DNS konfiguation at the provider ?

    Ralph
     
  14. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    if you don't have an option to set your PTR/rDNS record you might need to contact your provider and ask to set it.
    you can check your current entry using
    Code:
    $dig +noall +answer -x 8.8.4.4
    
    which gives you google-public-dns-b.google.com. as rDNS:
     
    ahrasis likes this.
  15. Racing-Ralph

    Racing-Ralph New Member

    This commad does not work on may debian system

    The command gives a blank line back, seems the ptr is not set.

    maybe i have to ask the provider
     
    Last edited: May 28, 2018
  16. Racing-Ralph

    Racing-Ralph New Member

    I try to specify the Problem, I dont know if its right here in this Thread.

    I have a LE certificate for my domain mydomain.de
    An other LE for mail.mydomain.de
    I use a vserver and the internall servername is : v9339166.providernameverver.de

    I have more than one domain on it

    In the postfix main.cf is : myhostsname v9339166.providernameverver.de


    Now I got an error when sending mails :

    host mx00.kundenserver.de[212.227.15.xxx] refused to talk to me: 554-kundenserver.de (mxeue011) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=185.158.212.xxx
    May 28 13:25:00 v9339166 postfix/smtp[32275]: 7806A9E4A2: to=<[email protected]>, relay=mx01.kundenserver.de[217.72.192.xxx]:25, delay=0.09, delays=0.01/0.01/0.07/0, dsn=4.0.0, status=deferred (host mx01.kundenserver.de[217.72.192.xxx] refused to talk to me: 554-kundenserver.de (mxeue111) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=185.158.212.xxx)

    The MX record is :

    mydomain.de 3600 IN MX 10 mail.mydomain.de

    TX record
    mydoman.de 3600 IN TX 0 v=spf1 mx a a:mx.providername.de ~all
     
  17. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    it is all correct - and you're right, you may not have a PTR record at all, go speak with your provider.
    and read the logs... it screams
     
  18. Racing-Ralph

    Racing-Ralph New Member

    I contacted my provider and he showed me to configure the PTR.

    Right now all workes fine.:)

    Thanks, Ralph
     
    ztk.me likes this.

Share This Page