Linux Mail Server Setup and Howto Guide » SSL/TLS

Postfix and Dovecot SSL/TLS

consultant — Sun, 25 Apr 2010 17:01:32 +0000

This article describes how to configure Postfix and Dovecot to use SSL/TLS to encrypt communication. Before you begin, generate an SSL certificate.

Postfix

1. Edit the file /etc/postfix/main.cf and add the lines below.

smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.acme.local.cert
smtpd_tls_key_file = /etc/pki/tls/private/mail.acme.local.key
tls_random_source = dev:/dev/urandom

Make sure smtpd_tls_cert_file and smtpd_tls_key_file refers to your own certificate and key file respectively.

2. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

3. Test Postfix using Telnet and check if 250-STARTTLS is present after the ehlo host command.

Dovecot

1. Edit the file /etc/dovecot.conf and add the lines below.

ssl_cert_file = /etc/pki/tls/certs/mail.acme.local.cert
ssl_key_file = /etc/pki/tls/private/mail.acme.local.key

Make sure ssl_cert_file and ssl_key_file refers to your own certificate and key file respectively.

2. Restart the dovecot service. Learn how to start and stop services here.

Generate SSL Certificate

consultant — Sun, 25 Apr 2010 16:58:28 +0000

To use SSL or TLS to encrypt SMTP, POP3, IMAP or HTTP connections requires an SSL certificate. This article describes how to generate your own self signed SSL certificate. A self signed certificate will not cost you any money, but the certificate will not be automatically accepted as trusted by the email client or web browser.

1. Install the SSL certificate and key management utilities using the command below.

yum install crypto-utils

2. Start the key generation utility using the command below.

genkey --days 365 mail.acme.local

Replace 365 with the number of days you want the certificate to be valid and mail.acme.local with your own domain name.

3. Click Next in the Keypair generation screen.

4. Click Next in the Choose key size screen.

5. It will now generate the random bits for the private key.

6. In the Generate CSR screen, select No.

7. Fill in the details for your certificate and click Next.

8. In the Protecting your private key screen, click Next.

389 Directory and Active Directory SSL Synchronization

consultant — Sun, 01 Nov 2009 07:13:24 +0000

An SSL connection to Active Directory is required in order to update a user’s password using LDAP. This article describes how to configure and test 389 Directory Server to synchronize with an Active Directory Server via an SSL LDAP connection.

Configuring SSL Connection

1. Make sure SSL is enabled in Active Directory. Learn how to enable LDAP SSL in Active Directory.

2. Export a base-64 encoded SSL certificate from your Active Directory Server.

3. Make sure SSL is enabled in 389 Directory Server. Learn how to enable LDAP SSL in 389 Directory Server.

4. Install the exported SSL certificate into 389 Directory Server.

Testing SSL Connection

1. Type the command below to test if you can do a plain LDAP connection to your Active Directory server. You’ll be asked for the password of the user account you specified in the -D option.

/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - "objectclass=*"

Replace the value after -b with your search base, the value after -h with your server hostname and the value after -D with the distinguished name of a user account having read/write access to your Active Directory server.

2. Type the command below to test if you can do an SSL enabled LDAP connection to your Active Directory server.

/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - -Z -P /etc/dirsrv/slapd-mail "objectclass=*"

Replace the value after -P with the settings path of your 389 Directory server.

If the two test above succeeds, you can use SSL connection to synchronize with Active Directory.

Troubleshooting

If the output from the test above contains

Invalid credentials
Check the distinguished name of the user account after the -D option and the bind password for it. To check the distinguished name, type the command below.
```
/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" -h server 
-R -D "ACME\fds" -w - "samaccountname=fds" DN
```
Replace the value ACME with your own domain and fds with your own user name. It will output the distinguished name of the user name you specified.
Invalid function argument
The host name you specified after -h is invalid or non-existent .
TCP connection reset by peer
Check the host name you specified after -h is correct, the port is open, and SSL is configured properly.
security library: bad database
Make sure SSL is enabled in 389 Directory Server. And check the path you specified after -P.
Encountered end of file
After configuring SSL in Active Directory, you probably did not reboot your Active Directory server. Reboot your AD server to complete the changes and try the test again.
Peer’s Certificate issuer is not recognized
Check if you have installed the certificate from Active Directory.
Peer’s Certificate has expired
Make sure the system clock is synchronized in the Linux server and the Active Directory server. And the check the certificate, it may indeed be expired.
Peer’s certificate issuer has been marked as not trusted by the user
Check the trust setting you specified in the certificate of the 389 Directory server. Making connections to other servers should be checked.

Install SSL Certificate in 389 Directory Server

consultant — Sun, 18 Jan 2009 02:05:34 +0000

This article describes how to install an SSL certificate in 389 Directory Server to be able to use encypted SSL connection during synchronization. If you will be synchronizing with an Active Directory server, make sure SSL is enabled. You’ll also need a base-64 encoded SSL certificate from your Active Directory server.

1. Launch the 389 Management Console.

2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group and click Directory Server. Finally, click the Open button in the Directory Server page.

3. Click the Manage Certificates button.

4. Click the CA Certs tab.

5. Click the Install button.

6. Select the in this local file option and specify the location where the SSL certificate can be found. Click Next when you are done.

7. Verify the certificate information and click Next.

8. Verify the certificate type and click Next.

9. Click the Done button.

10. Finally, click Close.

Securing SquirrelMail using SSL

consultant — Mon, 18 Aug 2008 23:59:05 +0000

Secure Sockets Layer (SSL) enables the HTTP protocol to be secured. This page will show you how to configure SSL in Apache and SquirrelMail.

Configuring Apache for SSL

1. Generate a certificate using the genkey tool.

2. Edit the file /etc/httpd/conf.d/ssl.conf and edit the lines below.

DocumentRoot /usr/share/squirrelmail
ServerName mail.acme.local:443
SSLCertificateFile /etc/pki/tls/certs/mail.acme.local.cert
SSLCertificateKeyFile /etc/pki/tls/private/mail.acme.local.key

Replace mail.acme.local with your server name.

If you are using Red Hat Enterprise Linux 6 or CentOS 6, the generated certificate file will have a .crt extension instead of .cert.

If you are not using Red Hat Enterprise Linux or CentOS, make sure the lines below are present.

LoadModule ssl_module modules/mod_ssl.so
Listen 443

3. Restart the httpd service. Learn how to restart services here.

4. Try accessing SquirrelMail using https instead of http.

You can force browsers to always use the SSL version. See Relocating SquirrelMail into the domain root.

Submitting Certificate Request to Microsoft Certificate Services

consultant — Mon, 18 Aug 2008 23:51:06 +0000

If you are using Active Directory, you can use the Microsoft Certificate Services to generate an SSL certificate suitable for use in an office environment. This page will show you how to request a certificate from the Microsoft Certificate Services for use in a web server.

To issue a certificate for a web server, make sure you have all of the items below.

Domain administrator account
Internet Explorer
Windows server installed with Microsoft Certificate Services. Learn how to install Microsoft Certificate Services in Windows 2003 Server.

1. Launch Internet Explorer and connect to your Certificate Services server. The URL is http://server/certsrv, replace server with the name of your server. Next, click Request a certificate.

2. In the Request a Certificate page, click submit an advanced certificate request.

3. In the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file or submit a renewal request by using a base-64-encoded PKCS#7 file.

4. In the Submit a Certificate Request or Renewal Request page, paste the content of the request file into the Base-64-encoded certificate request box. Select Web Server in the Certificate Template and click Submit.

5. In the Certificate Issued page, select Base 64 encoded and click Download certificate.

Export SSL Certificate in Windows Server 2003

consultant — Mon, 19 May 2008 15:25:32 +0000

To communicate with the Active Directory server over the Secure Sockets Layer (SSL), you need an SSL enabled server and an SSL certificate for the client. SSL communication is required to programmatically change the Active Directory password.

This article will show you how to export an SSL certificate from an SSL enabled Windows Server 2003 to use the LDAP API over SSL. If you have not yet configured SSL, see Enable LDAP SSL with Active Directory.

1. Click Start, select Administrative Tools and click Certification Authority. This will launch the Certification Authority application.

2. Select a certification authority, press right click and click Properties.

3. In the Properties window, click the View Certificate button.

4. In the Certificate window, click the Details tab and click the Copy to File button.

5. Click Next in the Certificate Export Wizard window.

6. Select Base-64 encoded X.509 and click Next.

7. Specify the path and file name of the certificate and click Next.

8. Finally, click Finish to export the certificate.

Enable LDAP SSL with Active Directory in Windows 2003

consultant — Mon, 19 May 2008 15:22:36 +0000

Enabling SSL in Active Directory allows clients to communicate securely with AD servers. This is also required to allow a user’s Active Directory password to be changed programmatically using LDAP.

This article will show you how to install the Certificate Services in Windows 2003 to enable LDAP SSL in Active Directory.

Before beginning, make sure the Internet Information Server (IIS) is installed in your server.

Installing the Certificate Services

1. Click Start, select Control Panel and click Add or Remove Programs.

2. In the Add or Remove Programs window, click Add/Remove Windows Components, check the Certificate Services and click Next.

3. Click Next in the CA Type page.

4. Fill up the Common name for this CA and click Next.

5. Click Next in the Certificate Database Settings page.

6. The Certificate Services will now be installed.

7. Click Finish and restart your server.

Configuring Automatic Certificate Request for Domain Controllers

1. Click Start, select Administrative Tools and click Domain Controller Security Policy.

2. In the Default Domain Controller Security Settings window, click the Public Key Policies folder.

3. Right click Automatic Certificate Request Settings, select New and click Automatic Certificate Request.

4. Click Next in the Automatic Certificate Request Setup Wizard.

5. Select Domain Controller in the Certificate Template page and click Next.

6. Click Finish and reboot your server.

Check for Issued Certificate