User Guide - Securing Email with SSL/TLS
- 09/11/2006 4:54 PM
Applicable Plans: All Standard,Advanced, Premier and Dedicated VPS plans
ALL VPS ARE BEING TRANSITIONED TO A NEW UP TO DATE SERVER, CONTACT sales@eapps.com for assistance.
User Guide - Securing your e-mail with SSL/TLS
Overview
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end from - http://en.wikipedia.org/wiki/Transport_Layer_SecurityThe mail server on your eApps VPS uses POP before SMTP authentication by default. This means that a user has to first check (POP) their e-mail before being allowed to send e-mail (SMTP). This method is very secure, and is used by the vast majority of eApps customers.
However, some customers are either required to use SSL/TLS, or simply prefer that method for security purposes. This User Guide is designed to help those customers set up SSL/TLS encryption to secure the connections to e-mail server running on their eApps VPS.
While we will make every effort to assist you with the configuration of your e-mail client to use SSL/TLS, you are ultimately responsible for resolving any issues with the configuration and installation of your e-mail client software.
Our support is limited to the mail server itself. If our testing shows that the mail server is accepting e-mail and sending e-mail using SSL/TLS, then that is essentially the end of our responsibility. Again, we will assist you as best we can with your e-mail client configuration issues, but may have to refer you to the software vendor for more assistance if necessary.
For general e-mail questions or information, please see the E-mail User Guide.
SSL/TLS Configuration
Links to other information
SSL/TLS Configuration
Installing SSL/TLS
The files and libraries for SSL/TLS are already available on your VPS. There is no software to install.All of the configuration on the VPS for SSL/TLS has to be done from the command line of the VPS, as the root user. Please see the SSH User Guide for more information. |
CentOS 5
Follow these steps to set up Secure SMTP, IMAPS and POPS on your CentOS 5 VPS.To see what operating system (OS) you have, click on the Subscriptions icon from the My Account tab of your Control Panel. Then click on the name of the subscription you want to see. The OS for that subscription will be displayed near the top of the page. If you are not on a CentOS 5 plan, but would like information on updating your plan, please contact eApps Support for more information.
Secure SMTP
To set up secure SMTP on a CentOS 5 VPS, do the following:[root@example ~]# cd /etc/pki/tls/certs [root@example certs]# ll total 448 -rw-r--r-- 1 root root 441017 Jan 8 2009 ca-bundle.crt -rwxr-xr-x 1 root root 610 Jan 8 2009 make-dummy-cert -rw-r--r-- 1 root root 2251 Oct 13 08:57 Makefile -rw-r----- 1 root ldap 2352 Jan 18 14:43 slapd.pem [root@example certs]# |
If there is an existing sendmail.pem file already in place, you can back that file up and create a new one.
This example shows a sendmail.pem file being created for an organization and user in Atlanta, GA, USA. Please make sure to substitute your own information when making the sendmail.pem file.
Run the make sendmail.pem command. When asked for the Common Name, enter the Fully Qualified Domain Name where your mail server is located, such as example.com or domain.virtual.vps-host.net. This will usually be the value of the Outgoing or SMTP server in your e-mail client.
To leave a question blank, simply enter a dot ( . ) as the answer.
[root@example certs]# make sendmail.pem umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \ cat $PEM1 > sendmail.pem ; \ echo "" >> sendmail.pem ; \ cat $PEM2 >> sendmail.pem ; \ rm -f $PEM1 $PEM2 Generating a 1024 bit RSA private key ...........++++++ .........................++++++ writing new private key to '/tmp/openssl.X16187' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Georgia Locality Name (eg, city) [Newbury]:Atlanta Organization Name (eg, company) [My Company Ltd]:eApps Web Hosting Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:example.com Email Address []:user@example.com [root@example certs]# |
Change to the /etc/mail directory. Backup the sendmail.mc and sendmail.cf files before continuing.
[root@example certs]# cd /etc/mail [root@example mail]# cp sendmail.mc{,.bck} [root@example mail]# cp sendmail.cf{,.bck} [root@example mail]# [root@example mail]# vim sendmail.mc |
Edit sendmail.mc with the vim editor (or any other text editor you have on your VPS), and make these changes.
Change these lines (the first four lines are together, the fifth line is further down the file):
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl ~ ~ dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl |
to match this:
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl ~ ~ DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl |
and save and exit the file. The change is that the dnl at the beginning of each line has been removed. The dnl stands for do not load, so removing that allows sendmail to use those options.
Change directories again to /etc/mail, and make all, and then restart sendmail.
[root@example mail]# cd /etc/mail [root@example mail]# make all [root@example mail]# service sendmail restart Shutting down sendmail: [ OK ] Shutting down sm-client: [ OK ] Starting sendmail: [ OK ] Starting sm-client: [ OK ] [root@example mail]# |
If you receive an error similar to the following, you will need to contact eApps Support. This issue can only be corrected by a Technical Support representative.
[root@example mail]# service sendmail restart sendmail: unrecognized service [root@example mail]# |
Configuring IMAPS
To setup IMAPS on a CentOS 5 VPS, do the following:[root@example ~]# cd /etc/pki/tls/certs/ [root@example certs]# ll total 452 -rw-r--r-- 1 root root 441017 Jan 8 2009 ca-bundle.crt -rwxr-xr-x 1 root root 610 Jan 8 2009 make-dummy-cert -rw-r--r-- 1 root root 2251 Oct 13 08:57 Makefile -rw------- 1 root root 2271 Jan 28 11:26 sendmail.pem -rw-r----- 1 root ldap 2352 Jan 18 14:43 slapd.pem |
If there is an existing imapd.pem file already in place, you can back that file up and create a new one. Then run make imapd.pem.
[root@example certs]# make imapd.pem |
Answer the questions in this file the same way you answered them for the sendmail.pem file. The answers don't have to be identical, but make certain to use the same Fully Qualified Domain Name as you used in sendmail.pem.
Change directories to the /etc/xinetd.d directory, and verify that an imap and imaps file exists.
[root@example certs]# cd /etc/xinetd.d [root@example xinetd.d]# ll imap* -rw-r--r-- 1 root root 367 Oct 13 08:56 imap -rw-r--r-- 1 root root 362 Oct 13 08:56 imaps [root@example xinetd.d]# |
If the imaps file does not exist, you can create one with the following command:
[root@example xinetd.d]# sed s/'service imap'/'service imaps'/ imap > imaps |
Check each file to make sure that it is set to disable = no
The line will look like this:
[root@example xinetd.d]# cat imap # default: off # description: The IMAP service allows remote users to access their mail using \ # an IMAP client such as Mutt, Pine, fetchmail, or Netscape \ # Communicator. service imap { disable = no ~ ~ |
That line should be the same in both the imap and imaps file. If either line has disable = yes, the change that to a no and save and exit the file.
Once the files have been created and edited (if necessary), restart the xinetd service.
[root@example xinetd.d]# service xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@example xinetd.d]# |
Configuring POPS
To configure POPS on a CentOS 5 VPS, do the following:[root@example ~]# cd /etc/pki/tls/certs [root@example certs]# make /etc/stunnel/stunnel_popa3d.pem |
Answer the questions in this file the same way you answered them for the sendmail.pem file. The answers don't have to be identical, but make certain to use the same Fully Qualified Domain Name as you used in sendmail.pem.
Change directories to the /etc/xinted.d directory, and verify that the popa3ds file is set for disable = no. By default this file is set to disable = yes, so you will need to change that.
[root@example certs]# cd /etc/xinetd.d [root@example xinetd.d]# cat popa3ds # default: off # description: The POP3S service allows remote users to access their mail \ # using an POP3 client with SSL support such as fetchmail. service pop3s { disable = yes ~ ~ |
You can either edit the file with a text editor such as vim, or use this command:
[root@example xinetd.d]# sed -i s/yes/no/ popa3ds |
Once the file has been changed (if needed), restart xinetd.
[root@example xinetd.d]# service xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@example xinetd.d]# |
Verifying the setup
To verify that the correct ports are now listening , use the netstat -nap command.[root@example xinetd.d]# netstat -nap | grep sendmail tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 15904/sendmail: acc tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 15904/sendmail: acc |
Port 465 is the secure SMTP port. Port 25 is the standard sendmail port. Port 25 has to stay open, because other mail servers will send mail to your VPS on port 25.
[root@example xinetd.d]# netstat -nap | grep xinetd tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 7582/xinetd tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 7582/xinetd |
Port 995 is for POPS, and port 993 is for IMAPS.
You can now set your e-mail clients to use SSL for POP/IMAP and SMTP. Please read the documentation for your specific e-mail client for more information on how to make those changes. See the Links to other information section for links to product specific support pages.
CentOS 4 and Fedora
Follow these steps to set up Secure SMTP, IMAPS and POPS on your CentOS 4 or Fedora VPS.To see what operating system (OS) you have, click on the Subscriptions icon from the My Account tab of your Control Panel. Then click on the name of the subscription you want to see. The OS for that subscription will be displayed near the top of the page. If you are not on a CentOS 5 plan, but would like information on updating your plan, please contact eApps Support for more information.
All of the configuration on the VPS for SSL/TLS has to be done from the command line of the VPS, as the root user. Please see the SSH User Guide for more information. |
Secure SMTP
To setup secure SMTP on your CentOS 4 or Fedora VPS, do the following:[root@example ~]# cd /usr/share/ssl/certs |
If there is an existing sendmail.pem file already in place, you can back that file up and create a new one.
This example shows a sendmail.pem file being created for an organization and user in Atlanta, GA, USA. Please make sure to substitute your own information when making the sendmail.pem file.
Run the make sendmail.pem command. When asked for the Common Name, enter the Fully Qualified Domain Name where your mail server is located, such as example.com or domain.virtual.vps-host.net. This will usually be the value of the Outgoing or SMTP server in your e-mail client.
To leave a question blank, simply enter a dot ( . ) as the answer.
[root@example certs]# make sendmail.pem umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 ; \ cat $PEM1 > sendmail.pem ; \ echo "" >> sendmail.pem ; \ cat $PEM2 >> sendmail.pem ; \ rm -f $PEM1 $PEM2 Generating a 1024 bit RSA private key ...++++++ ........................................++++++ writing new private key to '/tmp/openssl.qU1787' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Georgia Locality Name (eg, city) [Newbury]:Atlanta Organization Name (eg, company) [My Company Ltd]:eApps Web Hosting Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:example.com Email Address []:user@example.com [root@example certs]# |
Change to the /etc/mail directory. Backup the sendmail.mc and sendmail.cf files before continuing.
[root@example certs]# cd /etc/mail [root@example mail]# cp sendmail.mc{,.bck} [root@example mail]# cp sendmail.cf{,.bck} [root@example mail]# [root@example mail]# vim sendmail.mc |
Edit sendmail.mc with the vim editor (or any other text editor you have on your VPS), and make these changes.
Change these lines (the first four lines are together, the fifth line is further down the file):
dnl define(`confCACERT_PATH', `/usr/share/ssl/certs') dnl define(`confCACERT', `/usr/share/ssl/certs/ca-bundle.crt') dnl define(`confSERVER_CERT', `/usr/share/ssl/certs/sendmail.pem') dnl define(`confSERVER_KEY', `/usr/share/ssl/certs/sendmail.pem') ~ ~ dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl |
to match this:
define(`confCACERT_PATH', `/usr/share/ssl/certs') define(`confCACERT', `/usr/share/ssl/certs/ca-bundle.crt') define(`confSERVER_CERT', `/usr/share/ssl/certs/sendmail.pem') define(`confSERVER_KEY', `/usr/share/ssl/certs/sendmail.pem') ~ ~ DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl |
and save and exit the file. The change is that the dnl at the beginning of each line has been removed. The dnl stands for do not load, so removing that allows sendmail to use those options.
Change directories again to /etc/mail, and make all, and then restart sendmail.
[root@example mail]# cd /etc/mail [root@example mail]# make all [root@example mail]# service sendmail restart Shutting down sendmail: [ OK ] Shutting down sm-client: [ OK ] Starting sendmail: [ OK ] Starting sm-client: [ OK ] [root@example mail]# |
If you receive an error similar to the following, you will need to contact eApps Support. This issue can only be corrected by a Technical Support representative.
[root@example mail]# service sendmail restart sendmail: unrecognized service [root@example mail]# |
Configuring IMAPS
To setup IMAPS on a CentOS 4 or Fedora VPS, do the following.[root@example ~]# cd /usr/share/ssl/certs |
If there is an existing imapd.pem file already in place, you can back that file up and create a new one. Then run make imapd.pem.
[root@example certs]# make imapd.pem |
Answer the questions in this file the same way you answered them for the sendmail.pem file. The answers don't have to be identical, but make certain to use the same Fully Qualified Domain Name as you used in sendmail.pem.
Once the imapd.pem file is created, change directories to the /etc/xinetd.d directory, and verify that an imap and imaps file exists.
[root@example certs]# cd /etc/xinetd.d [root@example xinetd.d]# ll imap* -rw-r--r-- 1 root root 367 Oct 13 08:56 imap -rw-r--r-- 1 root root 362 Oct 13 08:56 imaps [root@example xinetd.d]# |
If the imaps file does not exist, you can create one with the following command:
[root@example xinetd.d]# sed s/'service imap'/'service imaps'/ imap > imaps |
Check each file to make sure that it is set to disable = no
The line will look like this:
[root@example xinetd.d]# cat imap # default: off # description: The IMAP service allows remote users to access their mail using \ # an IMAP client such as Mutt, Pine, fetchmail, or Netscape \ # Communicator. service imap { disable = no ~ ~ |
That line should be the same in both the imap and imaps file. If either line has disable = yes, the change that to a no and save and exit the file.
Once the files have been created and edited (if necessary), restart the xinetd service.
[root@example xinetd.d]# service xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@example xinetd.d]# |
Configuring POPS
To configure POPS on a CentOS 4 or Fedora VPS, do the following:[root@example ~]# cd /usr/share/ssl/certs [root@example certs]# make /etc/stunnel/stunnel_popa3d.pem |
Run the make /etc/stunnel/stunnel_popa3d.pem command. Answer the questions in this file the same way you answered them for the sendmail.pem file. The answers don't have to be identical, but make certain to use the same Fully Qualified Doman Name as you used in sendmail.pem.
Change directories to the /etc/xinted.d directory, and verify that the popa3ds file is set for disable = no. By default this file is set to disable = yes, so you will need to change that.
[root@example certs]# cd /etc/xinetd.d [root@example xinetd.d]# cat popa3ds # default: off # description: The POP3S service allows remote users to access their mail \ # using an POP3 client with SSL support such as fetchmail. service pop3s { disable = yes ~ ~ |
You can either edit the file with a text editor such as vim, or use this command:
[root@example xinetd.d]# sed -i s/yes/no/ popa3ds |
Once the file has been changed (if needed), restart xinetd.
[root@example xinetd.d]# service xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@example xinetd.d]# |
Verifying the setup
To verify that the correct ports are now listening , use the netstat -nap command.[root@example xinetd.d]# netstat -nap | grep sendmail tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 15904/sendmail: acc tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 15904/sendmail: acc |
Port 465 is the secure SMTP port. Port 25 is the standard sendmail port. Port 25 has to stay open, because other mail servers will send mail to your VPS on port 25.
[root@example xinetd.d]# netstat -nap | grep xinetd tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 7582/xinetd tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 7582/xinetd |
Port 995 is for POPS, and port 993 is for IMAPS.
You can now set your e-mail clients to use SSL for POP/IMAP and SMTP. Please read the documentation for your specific e-mail client for more information on how to make those changes. See the Links to other information section for links to product specific support pages.
Links to other information
Mozilla Thunderbird Support - http://www.mozilla.org/support/thunderbird/Microsoft Outlook Express Support - http://www.microsoft.com/windows/ie/ie6/using/oe/default.mspx
Microsoft Outlook Support (has help pages for Outlook 2003 and 2007) - http://office.microsoft.com/en-us/outlook/default.aspx
Microsoft Windows Mail Support (replacement for Outlook Express on Vista and Windows 7) - http://windows.microsoft.com/en-US/windows-vista/Working-with-Windows-Mail
Apple Mail Support - http://www.apple.com/support/mail/
Microsoft Entourage Support - http://www.microsoft.com/mac/help.mspx?app=2