# OpenSSL Certificates for Dovecot and Postfix



## wisdown (Sep 8, 2015)

Hey guys,

Someone have an tutorial teaching how to get SSL DHE-RSA-AES256-SHA working for Dovecot and Postfix?

I did the Certificate key using:

`openssl ecparam -genkey -name secp384r -out  usr/local/etc/ssl/private/mail.mydomain.com.key`

Then the Certificate Sign Request:

`openssl req -new -key /usr/local/etc/ssl/private/mail.mydomain.com.key -out /usr/local/etc/local/etc/ssl/private/mail.mydomain.com.csr`

And then Signed:

`"openssl x509 -req -days 365 -in /usr/local/etc/ssl/private/mail.mydomain.com.csr -signkey /usr/local/etc/ssl/private/mail.mydomain.com.key -out /usr/local/etc/ssl/certs/mail.mydomain.com.crt"`

Testing with:

`openssl s_client -connect IP.IP.IP.IP:995 -starttls smtp`

The connection start and nothing happen, no log saying about errors, sending:

`EHLO mydomain.com`

or

`EHLO mail.mydomain.com`

Make nothing, and cant stop using

`Ctrl C`

or

`Ctrl X`

Only option is restart the server.
My goal is have both Dovecot and Postfix with the best encrypted self-signed certificate under the RFC 6460 rules, and hardening guides about use the strongest and compatible encryption.

Thanks in advice


----------



## kpa (Sep 8, 2015)

Wrong protocol, port 995 is POP3 using SSL/TLS. Try this instead:

`openssl s_client -connect IP.IP.IP.IP:995 -starttls pop3`


----------



## wisdown (Sep 8, 2015)

Sorry, seems I did an wrong typo, on my situation I have disabled unencrypted ports and services like:

SMTP 25
POP3 110

Trying use SSL I am getting the connection start and close with:


```
errno=0
```

Looking on google seems is about how I make the certificates, something like not be supported by client or server.

Other forums sayed about start testing TLS on port 587, if this works the STARTTLS and SSL should be fine.
This one make server freeze.

If I understood right, the certficates need be made for specific scenarios, like SSL/TLS, or WEB/SSL, if this is right, I am lost how to build them for SSL/TLS.

Note: Already have removed my hardening from postfix and dovecot enabling all ciphers and did not worked. Now I have set back the good ciphers like:

/usr/local/etc/postfix/main.cf


```
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
```

And /usr/local/etc/dovecot/dovecot.conf


```
ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_prefer_server_ciphers = yes
```

From this guide:

Guide to Deploying Diffie-Hellman for TLS


----------



## obsigna (Sep 8, 2015)

wisdown said:


> Someone have an tutorial teaching how to get SSL DHE-RSA-AES256-SHA working for Dovecot and Postfix?



In the Howtos sub-forum you will find an article series on how to setup a Home Mail Server with TLS and non-Plain authentication. Perhaps you will find most of what you need in Chapter 4 - Configurations of said series.

My TLS related configuration of Postfix in /usr/local/etc/postfix/main.cf is:

```
# INCOMING MAIL
...
tls_preempt_cipherlist              = yes

smtpd_tls_security_level            = may
smtpd_tls_received_header           = yes
smtpd_tls_mandatory_ciphers         = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols       = !SSLv2, !SSLv3
smtpd_tls_eecdh_grade               = strong
smtpd_tls_dh1024_param_file         = /usr/local/etc/certs/dh_2048.pem
smtpd_tls_dh512_param_file          = /usr/local/etc/certs/dh_512.pem
smtpd_tls_cert_file                 = /usr/local/etc/certs/mailservice.chn
smtpd_tls_key_file                  = /usr/local/etc/certs/mailservice.key

# OUTGOING MAIL
relayhost                           = [smtp.MYRELAYHOST.com]:submission
smtp_sasl_auth_enable               = yes
smtp_sasl_mechanism_filter          = digest-md5
smtp_sasl_password_maps             = hash:/usr/local/etc/postfix/relay-sasl-password

smtp_tls_security_level             = encrypt
smtp_tls_mandatory_ciphers          = high
smtp_tls_mandatory_exclude_ciphers  = aNULL, MD5
smtp_tls_mandatory_protocols        = !SSLv2, !SSLv3
...
```

For some days I enforced TLS for incoming mails, but I had to set it to may because some peers (important for me) were not able to send encrypted mail. However, I enforce encryption on outgoing mail because I know that the relay accepts TLS. In the case of a server with direct delivery, your milage may vary with TLS enforcement.

If you are too picky with the MTA cipher suites, then depending of the enforcement policy, you either can't receive/send e-mails from/to some peers or the MTA falls back to unencrypted communication.

Regarding Dovecot, the situation is less subtle, because you quite possible can control the TLS settings of the MUAs. In /usr/local/etc/dovecot/dovecot.conf simply change the setting ssl_cipher_list = to your needs.


----------



## wisdown (Sep 9, 2015)

Thanks for the reply guys!!!

I was using this guide as base with some modifications (security, MySQL, etc..) after reading about hardening:

Postgresql+postfix+nginx+php+roundcube+dovecot+spamassassin+clamav+spamd

Usually I build one server per main service, for example:

*Mailserver*
Dovecot
Spamassassin
Clamav
Spamd

*Webserver*
Apache
roundcube
clamav
proftpd
phpMyAdmin

etc...

My adaptations was fine, all problem started after I read about certificate (I have no knowledge how OpenSSL and private certificate works, learning all possible now) and have decided to use secp384r1 (because the RFC) for build the certificate.

Using FreeBSD already have running dedicated servers:

Firewall (pfSense)
DNS Authoritative (jailed)
DNS Secondary (jailed)
DNS Forwarder (jailed)
NTP Server (does not work in jail environment)

After read a bit more, seems I need build an CA root server and start from webserver instead focus on mailserver now...
I have found this guide about how to setup CA root server, after finish the basics from new webserver (updates, make world, etc...), I will follow this guide:

How To Setup a CA

And off course, instead use the defaults on guide like 1024 length encryption or default RSA, I will use the previous commands for make the certificate like desired.

If someone know an better guide or another way to deal with it, please share.

obsigna

I am curious, why you use two times the dh file?


```
smtpd_tls_dh1024_param_file
smtpd_tls_dh512_param_file
```


PS.: This is my private home lab (one machine running VMware ESXi free version) , but, I am hosting some friends blogs, and then, can not focus in set everything for an single domain.

PS2.: Was think about your setup obsigna, and sounds amazing split dovecot and postfix how you did making the things more flexible.


----------



## obsigna (Sep 9, 2015)

wisdown said:


> ...
> obsigna I am curious, why you use two times the dh file?
> 
> ```
> ...



The smtpd_tls_dh512_param_file is in my setup because it wasn't touched since 2013, in the meantime it became obsolete, see: Forward Secrecy in the Postfix SMTP Server


----------

