|
|
| (4 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| − | * dovecot with imaps
| + | [http://wiki.littlesvr.ca/wiki/OPS345_Lab_7 This page has moved.] |
| − | * webmail
| |
| − | | |
| − | * can't use the same keys generated in www lab, they're for the wrong FQDN
| |
| − | <source>
| |
| − | andrew@p51:~/prog/seneca/ops345/new$ sudo su -
| |
| − | root@p51:~# certonly --manual --preferred-challenges dns
| |
| − | certonly: command not found
| |
| − | root@p51:~# certbot certonly --manual --preferred-challenges dns
| |
| − | Saving debug log to /var/log/letsencrypt/letsencrypt.log
| |
| − | Plugins selected: Authenticator manual, Installer None
| |
| − | Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
| |
| − | to cancel): email.asmith15.ops345.ca
| |
| − | Obtaining a new certificate
| |
| − | Performing the following challenges:
| |
| − | dns-01 challenge for email.asmith15.ops345.ca
| |
| − | | |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | NOTE: The IP of this machine will be publicly logged as having requested this
| |
| − | certificate. If you're running certbot in manual mode on a machine that is not
| |
| − | your server, please ensure you're okay with that.
| |
| − | | |
| − | Are you OK with your IP being logged?
| |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | (Y)es/(N)o: y
| |
| − | | |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | Please deploy a DNS TXT record under the name
| |
| − | _acme-challenge.email.asmith15.ops345.ca with the following value:
| |
| − | | |
| − | PdK1vlZnYMdBO7untofSCkfXH2ejk3EE019R7A90x7Q
| |
| − | | |
| − | Before continuing, verify the record is deployed.
| |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| − | Press Enter to Continue
| |
| − | Waiting for verification...
| |
| − | Cleaning up challenges
| |
| − | | |
| − | IMPORTANT NOTES:
| |
| − | - Congratulations! Your certificate and chain have been saved at:
| |
| − | /etc/letsencrypt/live/email.asmith15.ops345.ca/fullchain.pem
| |
| − | Your key file has been saved at:
| |
| − | /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem
| |
| − | Your cert will expire on 2022-02-28. To obtain a new or tweaked
| |
| − | version of this certificate in the future, simply run certbot
| |
| − | again. To non-interactively renew *all* of your certificates, run
| |
| − | "certbot renew"
| |
| − | - If you like Certbot, please consider supporting our work by:
| |
| − | | |
| − | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
| |
| − | Donating to EFF: https://eff.org/donate-le
| |
| − | | |
| − | root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.cert.pem
| |
| − | root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.key.pem
| |
| − | root@p51:~# chown andrew ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.*
| |
| − | </source>
| |
| − | * Put keys on the email server:
| |
| − | <source>
| |
| − | scp -P 2212 -i keys/ssh/ops345-all-aws-machines.pem keys/email.asmith15.ops345.ca.* andrew@34.202.103.43:~
| |
| − | [root@email andrew]# cp email.asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
| |
| − | [root@email andrew]# cp email.asmith15.ops345.ca.key.pem /etc/pki/tls/private/
| |
| − | </source>
| |
| − | * configure postfix to enable encrypted connections from client software. add this to the bottom of main.cf:
| |
| − | <source># Settings to enable secure SMTP using my self-signed certificate:
| |
| − | smtpd_tls_auth_only = no
| |
| − | smtpd_use_tls = yes
| |
| − | smtp_use_tls = yes
| |
| − | smtpd_tls_key_file = /etc/pki/tls/private/email.asmith15.ops345.ca.key.pem
| |
| − | smtpd_tls_cert_file = /etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
| |
| − | tls_random_source = dev:/dev/urandom
| |
| − | smtpd_tls_loglevel = 1
| |
| − | </source>
| |
| − | * test with telnet/EHLO: should say 250-STARTTLS
| |
| − | * complete test will be done with thunderbird later
| |
| − | * dovecot installed in previous lab, it needs very little configuration for our simple setup
| |
| − | * /etc/dovecot/dovecot.conf:
| |
| − | * Modify the protocols option so that Dovecot will work with IMAP connections, no POP3 or LMTP.
| |
| − | * 10-ssl.conf:
| |
| − | <source>ssl_cert = </etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
| |
| − | ssl_key = </etc/pki/tls/private/email.asmith15.ops345.ca.key.pem</source>
| |
| − | * ss should show port 993, no 995 or 110
| |
| − | * there's no iptables running on email, so just open port 993 in ops345sgemail
| |
| − | * configure thunderbird:
| |
| − | ** IMAP: email.asmith15.ops345.ca, SSL 993, normal password, username without @domain
| |
| − | ** SMTP: email.asmith15.ops345.ca, STARTTLS 25, normal password, username without @domain
| |
| − | * tail -f /var/log/maillog and send a message from thunderbird
| |
| − | * The message is not sent, because postfix is not configured to authenticate users. encryption alone is not enough.
| |
| − | * https://www.xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
| |
| − | ** except the SSL/TLS parameters part.
| |
| − | * Send email again. Note the messages about connection timed out. We can't do anything about that in AWS Academy:
| |
| − | ** https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/
| |
| − | * There's more to do anyway to set up a real sending server, as a minimum DKIM/SPF but reverse DNS for the domain also helps.
| |
