PFS / Letsencrypt for Postfix/Dovecot/PureFTPd

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    If you have your hosts FQDN in ISPConfig and made a valid Letsencrpyt-Cert for it, you can use it for mail, too.

    make changes to /etc/postfix/main.cf ( replace <FQDN> with your ssl / mailnames domain name )
    Code:
    # TLS parameters
    smtp_tls_CAfile = /etc/letsencrypt/live/<FQDN>/chain.pem
    smtpd_tls_CAfile = /etc/letsencrypt/live/<FQDN>/chain.pem
    smtpd_tls_cert_file = /etc/letsencrypt/live/<FQDN>/fullchain.pem
    smtpd_tls_key_file = /etc/letsencrypt/live/<FQDN>/privkey.pem
    smtp_tls_cert_file = /etc/letsencrypt/live/<FQDN>/fullchain.pem
    smtp_tls_key_file = /etc/letsencrypt/live/<FQDN>/privkey.pem
    tls_preempt_cipherlist      = yes
    smtpd_tls_mandatory_ciphers = high
    smtpd_use_tls = yes 
    smtpd_tls_security_level = may 
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    tlsproxy_tls_protocols = $smtpd_tls_protocols
    tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    lmtp_tls_protocols = !SSLv2,!SSLv3
    lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_ciphers = medium
    smtp_tls_ciphers = medium
    smtpd_tls_eecdh_grade = strong
    smtpd_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL
    smtp_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL
    
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
    smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
    
    make change to /etc/dovecot/dovecot.conf
    Code:
    !include conf.d/10-ssl.conf
    
    Modify /etc/dovecot/conf.d/10-ssl.conf
    Code:
    ssl = yes
    ssl_cert = </etc/letsencrypt/live/<FQDN>fullchain.pem
    ssl_key = </etc/letsencrypt/live/<FQDN>/privkey.pem
    ssl_dh_parameters_length = 2048
    ssl_protocols = !SSLv3
    ssl_cipher_list = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv3
    ssl_prefer_server_ciphers = yes
    
    If you run postfix in chroot, well you need to copy some files of course, except symlink is working for you.

    If you want, you can adjust TLSCiphersuite for pureftp
    Code:
    echo 'HIGH:!CAMELLIA' > /etc/pure-ftpd/conf/TLSCipherSuite
    
    Add a cronjob /etc/cron.daily/fixcerts ( change <FQDN> again )
    Code:
    #!/bin/sh
    cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/ssl/private/pure-ftpd.pem
    #cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/monit/monit.pem
    #chmod 600 /etc/monit/monit.pem
    
    chmod 600 /etc/ssl/private/pure-ftpd.pem
    
    cd /etc/postfix
    umask 022
    openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
    openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
    openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
    chmod 644 dh512.pem dh1024.pem dh2048.pem
    openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
    
    /usr/sbin/service postfix reload
    /usr/sbin/service dovecot reload
    /usr/sbin/service pure-ftpd-mysql restart
    
    You don't need the monit part, did I mention I'm lazy as f ;)...
    make it executable and run it at least one
    Code:
    chmod +x /etc/cron.daily/fixcerts
    /etc/cron.daily/fixcerts
    

    should perfectly work, if not I may have missed something - feel free to improve it as it certainly can't be perfect.
    Some of the stuff is mentioned in the forums but as I can see haven't been put together yet, if it's duplicate, I'm not sad if someone deletes redundant conent :) cheers
     

Share This Page