Fedora 27
Sponsored Link

SSL Setting
2017/12/23
 
Configure SSL to encrypt connections.
[1]
Create certificates first, Refer to here.
[2] Configure Postfix and Dovecot for SSL.
[root@mail ~]#
vi /etc/postfix/main.cf
# add to the end

smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
[root@mail ~]#
vi /etc/postfix/master.cf
# line 17,18,20: uncomment

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
# line 29-31: uncomment

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
[root@mail ~]#
vi /etc/dovecot/conf.d/10-ssl.conf
# line 8: change

ssl =
yes
# line 14,15: specify certificates

ssl_cert = <
/etc/pki/tls/certs/server.crt

ssl_key = <
/etc/pki/tls/certs/server.key
# line 26: specify CA file

ssl_ca = <
/etc/pki/tls/certs/ca-bundle.crt
# line 51: uncomment

ssl_protocols = !SSLv3
[root@mail ~]#
systemctl restart postfix dovecot
[3] If Firewalld is running, allow SMTP-Submission/SMTPS/POP3S/IMAPS services. SMTP-Submission uses 587/TCP(used STARTTLS), SMTPS uses 465/TCP, POP3S uses 995/TCP, IMAPS uses 993/TCP.
[root@mail ~]#
firewall-cmd --add-service={smtp-submission,smtps,pop3s,imaps} --permanent

success
[root@mail ~]#
firewall-cmd --reload

success
[4] For Client's settings, ( Mozilla Thunderbird )
Open account's property and move to [Server Settings] on the left pane, then Select [STARTTLS] or [SSL/TLS] on [Connection security] field on the right pane. (this example shows to select [STARTTLS])
[5] Move to [Outgoing Server] on the left pane, then Select [STARTTLS] or [SSL/TLS] on [Connection security] field. Furthermore, change port to the used port. ([STARTTLS] uses [587], [SSL/TLS] uses 465, this example shows to select [STARTTLS])
[6] If your own self-signed certificates, the warning like follows are displayed, but it's no ploblem to proceed. Then it's possible to send or receive emails through STARTTLS or SSL/TLS connection.
 
Tweet