Securing E-mail with SSL/TLS
- 15/02/2012 11:46 AM
Applicable Plans - All Cloud Hosting Plans
Securing E-mail with SSL/TLS
Overview
If you want to use Secure SMTP (SMTPS), secure IMAP (IMAPS), or secure POP (POPS) to send and receive e-mail from your Virtual Server, you will need to set up SSL/TLS on your Virtual Server. SSL and TLS are cryptographic protocols that encrypt the connections between client and server over a network such as the Internet. In this case, they would encrypt the connection between the e-mail client on your local computer (Microsoft Outlook, Apple Mail, Thunderbird, etc) and the mail server on your Virtual Server as you sent and received e-mails that passed through the VS.
Please note - setting up SSL/TLS on your Virtual Machne will require that everyone who uses the VS for sending and receiving e-mail will need to make changes to their e-mail clients. |
These changes can include the ports used to send and receive e-mail, and also the names of the mail servers. Everyone will also have to accept the self-signed SSL certificate that was generated to encrypt the e-mail. If these changes are not made, you may not be able to send and receive e-mail. See the relevant documentation for your e-mail client for more assistance if you need help making these changes.
Mail Server and Control Panel Information - Read Before You Start!
Which mail server is available and which files you need to edit will depend on which versions of CentOS and ISPmanager are installed. Please make sure you are working with the correct set of instructions.
- CentOS 6 and ISPmanager 4 - your Virtual Server uses Sendmail and Dovecot. Please see Setting up SSL/TLS with Sendmail
- CentOS 6 and ISPmanager 5 - your Virtual Server uses Exim and Dovecot. Please see Setting up SSL/TLS with Exim
- CentOS 7 and ISPmanager 5 - your Virtual Server uses Exim and Dovecot. Please see Setting up SSL/TLS with Exim
The instructions on how to set up Dovecot are the same for either combination of CentOS and ISPmanager: Setting up Secure IMAP (IMAPS) and Secure POP (POPS)
How to determine which version of ISPmanager you are on can be found here - ISPmanager Versions. If you need to determine which version of CentOS your Virtual Server is using, log in to the Customer Portal and go to My Cloud > Virtual Servers. Hover your cursor over the Info icon to the left of the Service name, and that will show the Template, which lists the version of CentOS.
Setting up SSL/TLS with Sendmail
Setting up Secure SMTP (SMTPS) with Sendmail and ISPmanager 4
Setting up SSL/TLS with Exim
Setting up Secure SMTP (SMTPS) with Exim and ISPmanager 5
Setting up Secure IMAP (IMAPS) and Secure POP (POPS)
Setting up IMAPS and POPS with dovecot
Prerequisites
The base installation of the CentOS Linux distribution contains all the applications and files needed to set up SSL/TLS on your Virtual Server. No additional software is needed. This User Guide is specific to CentOS and ISPmanager templates.
If you are using a Ubuntu template, you may find more information here: Ubuntu - SSL/TLS. The Ubuntu template uses Postfix, so the information in this user guide will not apply. If you are using a Debian template, you may find more information here: Debian - SSL/TLS. The Debian template offered by eApps uses Exim4, but the information in this user guide will not apply because Debian uses a different package manager and system configuration.
All of the configuration for SSL/TLS has to be done from the command line of the Virtual Server, as the root user. You will need to be able to log in to the VS using SSH, and be able to navigate the Linux file system, edit files using a text editor (vim is available by default), and run commands.
If you need to have SSL/TLS configured, but are unable to do the required work yourself, please contact eApps Support for assistance. This configuration can usually be done for a small fee.
Setting up SSL/TLS with Sendmail
If your Virtual Server OS template has CentOS 6 with ISPmanager 4, you have the Sendmail mail server installed.
Setting up Secure SMTP (SMTPS) with Sendmail and ISPmanager 4
To set up Secure SMTP, you will need to create a sendmail.pem file, which is what will be used to generate the self-signed certificate that your e-mail client will use to encrypt your SMTP communications to and from the Virtual Server.
You will also need to open port 465 on your Virtual Server. This will be the port that you set in your e-mail client for the outgoing mail server, which is sometimes called the SMTP Server or Outgoing Mail Server or something similar.
Make sure to leave the standard SMTP port (port 25) open, since this is the port that other mail servers will connect to in order to transfer e-mail to your VS.
Creating a sendmail.pem file
The sendmail.pem file is used to secure the SMTP connection from your Virtual Server to your e-mail client. To create this file, you will need to enter information about your geographic location, and you will need to use the name of your e-mail server as it is specified in your mail client.
Change directories to /etc/pki/tls/certs and use the make sendmail.pem
command to create the file. If there is an existing sendmail.pem file, you can make a copy of that file with the mv sendmail.pem sendmail.pem.orig
command.
[root@eapps-example ~]# cd /etc/pki/tls/certs
[root@eapps-example ~]# make sendmail.pem
This example for creating a sendmail.pem file uses eApps Hosting as the example. We are located in the city of Norcross, state of Georgia, country of the United States. Please make sure to substitute your own information. Also make sure to use the two letter country code for your country, which can be found here: Two letter country codes
When asked for the Common Name, use the exact same value as shown in your e-mail client for the SMTP or outgoing server. The Email Address is usually the E-mail Domain owner, as set in ISPmanager.
To leave a question blank, enter a dot ( . ) as the answer. In this example, Organizational Unit Name is left blank.
umask 77 ; PEM1=/bin/mktemp /tmp/openssl.XXXXXX ; PEM2=/bin/mktemp /tmp/openssl.XXXXXX ; /usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; cat $PEM1 > sendmail.pem ; echo "" >> sendmail.pem ; cat $PEM2 >> sendmail.pem ; rm -f $PEM1 $PEM2 Generating a 2048 bit RSA private key ............+++ ................+++ writing new private key to '/tmp/openssl.kcIRiF' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Georgia Locality Name (eg, city) [Default City]:Norcross Organization Name (eg, company) [Default Company Ltd]:eApps Hosting Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:eapps-example.com Email Address []:admin@eapps-example.com [root@eapps-example certs]# |
Once you have entered all the information, the sendmail.pem file is generated.
After you have generated the sendmail.pem file, you will need to move on to the sendmail configuration.
sendmail configuration
To continue setting up Secure SMTP, you will need to make changes to the Sendmail configuration file, and then rebuild and restart the sendmail service.
Change directories to /etc/mail. Then make backup copies of the two main sendmail configuration files, sendmail.mc and sendmail.cf. When making these backup copies, use the .bck suffix, and not .bak. This is because there is already a .bak copy of sendmail.cf which you do not want to overwrite.
Once you have made the backup copies of the two files, open sendmail.mc in a text editor (vim is used in this example). Also, make sure to only edit the sendmail.mc file, do not edit sendmail.cf directly.
[root@eapps-example ~]# cd /etc/mail
[root@eapps-example ~]# cp sendmail.mc{,.bck}
[root@eapps-example ~]# cp sendmail.cf{,.bck}
Once you have copied the files, open sendmail.mc in a text editor.
Change these five lines - the first four lines are together, starting at or around line 60, and the last line is around line 134.
Please be aware that there are five lines in the sendmail.mc file that start with DAEMON_OPTIONS
, so make sure you are changing the correct line.
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
~
~
~
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
Remove the dnl
from the beginning of each line (do not remove it from the end of the line) so that the lines now look like this:
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
Make sure that the first letter in each line is also on the left margin. Do not leave any indentation in the lines.
Once you have made your changes, save and exit the file.
To rebuild the sendmail.mc file so that it will write the changes to the sendmail.cf file, you will need to run the make all
command. Once you run make all, restart the sendmail service with service sendmail restart
.
[root@eapps-example mail]# make all [root@eapps-example mail]# service sendmail restart Shutting down sm-client: [ OK ] Shutting down sendmail: [ OK ] Starting sendmail: [ OK ] Starting sm-client: [ OK ] [root@eapps-example mail]# |
If you get any errors trying to restart sendmail, contact eApps Support.
Once sendmail is restarted, verify that the configuration change worked by using the netstat -nap | grep sendmail command.
[root@eapps-example mail]# netstat -nap | grep sendmail tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 18001/sendmail: acc tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 18001/sendmail: acc unix 2 [ ] DGRAM 22332 18001/sendmail: acc [root@eapps-example mail]# |
This shows sendmail listening on port 465 and port 25. The last line is the sendmail service itself. If you see lines similar to this, then everything is working as expected. If you don't see port 465, go back and review your work. If you still need assistance, please contact eApps Support.
At this point your Virtual Server is ready to accept SMTPS connections on port 465. Be sure to make any configuration changes to your e-mail client that are needed for it to connect to the correct port to send e-mail, and also let any e-mail users you have on your VS know that they will need to do the same.
You will be asked to accept the certificate (the sendmail.pem file) in order to send e-mails. Your e-mail client will have a way for you to store the certificate permanently so that you should only have to do this once.
!Note
If you are not able to send emails using secure smtp protocol and you receive bellow error in your mail log it means that you have a newer openssl installation that requires a Diffie-Hellman key of 1024 bits.
server1 sendmail[9851]: STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1, relay=[IP]
To fix this please follow the steps below:
1) generate a new key of 2048 bits (in this demo the path was /etc/ssl/certs):
openssl gendh -out dh_2048.pem -2 2048
2) add below 2 lines to sendmail.mc and recompile sendmail
define(`confDH_PARAMETERS', `1024')dnl
define(`confDH_PARAMETERS', `/etc/ssl/certs/dh_2048.pem')dnl
m4 sendmail.mc > sendmail.cf
3) restart sendmail
Setting up SSL/TLS with Exim
If your Virtual Server OS template has CentOS 6 or CentOS 7 with ISPmanager 5, you have the Exim mail server installed.
Setting up Secure SMTP (SMTPS) with Exim and ISPmanager 5
When Exim is installed as part of ISPmanager 5, it creates a self-signed SSL certificate and automatically opens port 465. All you will need to do is configure your e-mail client to use port 465/SMTPS (Secure SMTP), and accept the self-signed SSL certificate. Please see the documentation for your e-mail client if you need assistance with this.
Creating your own self-signed SSL certificate
If you want to use your own self-signed SSL certificate with Exim and ISPmanager 5, you can create one and substitute that for the default certificate. To do this, you will need to make a backup copy of the existing self-signed SSL certificate and key, and then create new ones.
Change directories to /etc/exim/ssl, and make copies of the existing exim.crt and exim.key files.
[root@eapps-example ~]# cd /etc/exim/ssl
[root@eapps-example ~]# cp exim.crt{,.bck}
[root@eapps-example ~]# cp exim.key{,.bck}
To create the new self-signed SSL certificate, run this command: openssl req -new -newkey rsa:2048 -days 1095 -nodes -x509 -keyout exim.key -out exim.crt
This will create new exim.crt and exim.key files with your organizational information.
This example uses eApps Hosting: we are located in the city of Norcross, state of Georgia, country of the United States. Please make sure to substitute your own information. Also make sure to use the two letter country code for your country, which can be found here: Two letter country codes
When asked for the Common Name, use the exact same value as shown in your e-mail client for the SMTP or outgoing server. The Email Address is usually the E-mail Domain owner, as set in ISPmanager.
To leave a question blank, enter a dot ( . ) as the answer. In this example, Organizational Unit Name is left blank.
[root@eapps-example ssl]# openssl req -new -newkey rsa:2048 -days 1095 -nodes -x509 -keyout exim.key -out exim.crt
Generating a 2048 bit RSA private key
..........+++
.........................................................+++
writing new private key to 'exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Georgia
Locality Name (eg, city) [Default City]:Norcross
Organization Name (eg, company) [Default Company Ltd]:eApps Hosting
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:eapps-example.com
Email Address []:admin@eapps-example.com
[root@exim-test ssl]#
Once you have created the new exim.crt and exim.key files, you will need to restart the exim service.
-
For CentOS 6, use the
service exim restart
command:[root@eapps-example ~]# service exim restart
-
For CentOS 7, use the
systemctl restart exim
command:[root@eapps-example ~]# systemctl restart exim
Remember that everyone will have to accept the self-signed SSL certificate in order to use secure SMTP with their e-mail client.
Setting up Secure IMAP (IMAPS) and Secure POP (POPS)
Your Virtual Server uses Dovecot - http://www.dovecot.org/ as the POP/IMAP server. Dovecot is fast and very secure.
The port for IMAPS, port 993, is already listening on your Virtual Server. No port or services configuration is needed. The port for POPS, port 995, is also listening on your VS. If you have blocked either port with iptables, you will need to unblock them.
With Dovecot, the configuration for IMAPS also generates the same certificates that can be used for POPS.
Setting up IMAPS and POPS with dovecot
To set up IMAPS and POPS, you will need to generate a dovecot.pem certificate and private key file. This is the information your e-mail client will request when connecting to the mail server. All of this must be done from the command line of the Virtual Server, as the root user. If you need to set up secure IMAP or POP, but cannot work from the command line, contact eApps Support.
To generate the dovecot.pem file, you will need to first edit the dovecot-openssl.cnf file, and then generate both the certificate and private key from that file. Change directories to /etc/pki/dovecot, and make a backup of the existing dovecot-openssl.cnf file. Then open the file for editing (this example uses the vim editor, nano is also available).
[root@eapps-example ~]# cd /etc/pki/dovecot/ [root@eapps-example dovecot]# ll total 12 drwxr-xr-x 2 root root 4096 Nov 16 01:36 certs -rw-r--r-- 1 root root 496 Mar 26 2010 dovecot-openssl.cnf drwxr-xr-x 2 root root 4096 Nov 16 01:36 private [root@eapps-example dovecot]# cp dovecot-openssl.cnf{,.bck} [root@eapps-example dovecot]# vim dovecot-openssl.cnf |
This example for editing the dovecot-openssl.cnf file uses eApps Hosting as the example, and the domain of eapps-example.com. We are located in the city of Norcross, state of Georgia, country of the United States. Please make sure to substitute your own information.
By default, the file looks like this:
[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) #C=FI # State or Province Name (full name) #ST= # Locality Name (eg. city) #L=Helsinki # Organization (eg. company) #O=Dovecot # Organizational Unit Name (eg. section) OU=IMAP server # Common Name (*.example.com is also possible) CN=imap.example.com # E-mail contact emailAddress=postmaster@example.com [ cert_type ] nsCertType = server |
Using eApps as the example, the file would look like this:
[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) C=US # State or Province Name (full name) ST=Georgia # Locality Name (eg. city) L=Norcross # Organization (eg. company) O=eApps # Organizational Unit Name (eg. section) OU=IMAP server # Common Name (*.example.com is also possible) CN=eapps-example.com # E-mail contact emailAddress=admin@eapps-example.com [ cert_type ] nsCertType = server |
You will need to change the country, State or Province Name, Locality Name, Organization, Common Name and E-mail contact. The value for Organizational Unit Name can be left as is.
You will need to uncomment the lines that you are changing so that they are read when the certificate file is created.
Note that the file expects a two character country code. You can find your country code here - http://www.theodora.com/country_digraphs.html
For the Common Name, use the name of your mail server. The name in this file must match what you have for your Incoming Mail Server in your e-mail client. All users who are going to use IMAPS or POPS must have this same value in their e-mail clients.
The E-mail contact is the e-mail address for the admin user of the VS. This is who would get any status e-mails generated by dovecot if it were set up for that type of logging and notification. Generally this is the E-mail Domain owner in ISPmanager.
After you have made your changes, save and exit the file.
After editing the dovecot-openssl.cnf file, you will need to generate the certificate that will be used to encrypt the connection between your e-mail client and the mail server when you download your e-mail. To do this, you will need to move two existing files, both called dovecot.pem, and then generate a new one.
If you skip this step, then your new certificate file will not be generated. The error you will get will be similar to /etc/pki/dovecot/certs/dovecot.pem already exists, won't overwrite. If you get this error, go back and make sure that you have moved the existing dovecot.pem files. |
The first dovecot.pem file is located in the /etc/pki/dovecot/certs directory, and the second is located in the /etc/pki/dovecot/private directory. You will need to change to each directory, and move the existing dovecot.pem files using the mv dovecot.pem dovecot.pem.bck command. Once you have moved the files, change back to the /etc/pki/dovecot directory.
[root@eapps-example dovecot]# cd /etc/pki/dovecot/certs/ [root@eapps-example certs]# ll total 4 -rw------- 1 root root 847 Nov 16 01:36 dovecot.pem [root@eapps-example certs]# mv dovecot.pem dovecot.pem.bck [root@eapps-example certs]# ll total 4 -rw------- 1 root root 847 Nov 16 01:36 dovecot.pem.bck [root@eapps-example certs]# cd /etc/pki/dovecot/private/ [root@eapps-example private]# ll total 4 -rw------- 1 root root 916 Nov 16 01:36 dovecot.pem [root@eapps-example private]# mv dovecot.pem dovecot.pem.bck [root@eapps-example private]# ll total 4 -rw------- 1 root root 916 Nov 16 01:36 dovecot.pem.bck [root@eapps-example private]# cd /etc/pki/dovecot/ [root@eapps-example dovecot]# |
Once you are back in the /etc/pki/dovecot.pem directory, you will need to run the command to generate the new dovecot.pem files. The command to run is /usr/libexec/dovecot/mkcert.sh
[root@eapps-example dovecot]# /usr/libexec/dovecot/mkcert.sh Generating a 1024 bit RSA private key .++++++ ...............................................++++++ writing new private key to '/etc/pki/dovecot/private/dovecot.pem' ----- subject= /C=US/ST=Georgia/L=Norcross/O=eApps/OU=IMAP server/CN=eapps-example.com/emailAddress=admin@eapps-example.com SHA1 Fingerprint=31:5F:7D:60:03:4C:0E:BF:63:34:18:3A:30:F7:B5:BC:77:CD:8E:32 [root@eapps-example dovecot]# |
If you look in the /etc/pki/dovecot/certs and /etc/dovecot/private directories now, you will see a new dovecot.pem file. This file was created with the information you added to the dovecot-openssl.cnf file.
Once you have created the new Dovecot files, you will need to restart the dovecot
service.
-
For CentOS 6, use the
service dovecot restart
command:[root@eapps-example ~]# service dovecot restart
-
For CentOS 7, use the
systemctl restart dovecot
command:[root@eapps-example ~]# systemctl restart dovecot
At this point your Virtual Server is ready to accept IMAPS connections on port 993 and POPS connections on port 995. Be sure to make any configuration changes to your e-mail client that are needed for it to connect to the correct port to receive e-mail, and also let any e-mail users you have on your VS know that they will need to do the same.
You will be asked to accept the certificate (the dovecot.pem file) in order to receive e-mails. Your e-mail client will have a way for you to store the certificate permanently so that you should only have to do this once.