|
|
(One intermediate revision by the same user not shown) |
Line 1: |
Line 1: |
− | * webmail
| + | [http://wiki.littlesvr.ca/wiki/OPS345_Lab_7 This page has moved.] |
− | | |
− | * set up thunderbird for myseneca
| |
− | * can't use the same keys generated in www lab, they're for the wrong FQDN
| |
− | <source>
| |
− | andrew@p51:~/prog/seneca/ops345/new$ sudo su -
| |
− | root@p51:~# certonly --manual --preferred-challenges dns
| |
− | certonly: command not found
| |
− | root@p51:~# certbot certonly --manual --preferred-challenges dns
| |
− | Saving debug log to /var/log/letsencrypt/letsencrypt.log
| |
− | Plugins selected: Authenticator manual, Installer None
| |
− | Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
| |
− | to cancel): email.asmith15.ops345.ca
| |
− | Obtaining a new certificate
| |
− | Performing the following challenges:
| |
− | dns-01 challenge for email.asmith15.ops345.ca
| |
− | | |
− | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
− | NOTE: The IP of this machine will be publicly logged as having requested this
| |
− | certificate. If you're running certbot in manual mode on a machine that is not
| |
− | your server, please ensure you're okay with that.
| |
− | | |
− | Are you OK with your IP being logged?
| |
− | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
− | (Y)es/(N)o: y
| |
− | | |
− | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
− | Please deploy a DNS TXT record under the name
| |
− | _acme-challenge.email.asmith15.ops345.ca with the following value:
| |
− | | |
− | PdK1vlZnYMdBO7untofSCkfXH2ejk3EE019R7A90x7Q
| |
− | | |
− | Before continuing, verify the record is deployed.
| |
− | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
− | Press Enter to Continue
| |
− | Waiting for verification...
| |
− | Cleaning up challenges
| |
− | | |
− | IMPORTANT NOTES:
| |
− | - Congratulations! Your certificate and chain have been saved at:
| |
− | /etc/letsencrypt/live/email.asmith15.ops345.ca/fullchain.pem
| |
− | Your key file has been saved at:
| |
− | /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem
| |
− | Your cert will expire on 2022-02-28. To obtain a new or tweaked
| |
− | version of this certificate in the future, simply run certbot
| |
− | again. To non-interactively renew *all* of your certificates, run
| |
− | "certbot renew"
| |
− | - If you like Certbot, please consider supporting our work by:
| |
− | | |
− | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
| |
− | Donating to EFF: https://eff.org/donate-le
| |
− | | |
− | root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.cert.pem
| |
− | root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.key.pem
| |
− | root@p51:~# chown andrew ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.*
| |
− | </source>
| |
− | * Put keys on the email server:
| |
− | <source>
| |
− | scp -P 2212 -i keys/ssh/ops345-all-aws-machines.pem keys/email.asmith15.ops345.ca.* andrew@34.202.103.43:~
| |
− | [root@email andrew]# cp email.asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
| |
− | [root@email andrew]# cp email.asmith15.ops345.ca.key.pem /etc/pki/tls/private/
| |
− | </source>
| |
− | * configure postfix to enable encrypted connections from client software. add this to the bottom of main.cf:
| |
− | <source># Settings to enable secure SMTP using my self-signed certificate:
| |
− | smtpd_tls_auth_only = no
| |
− | smtpd_use_tls = yes
| |
− | smtp_use_tls = yes
| |
− | smtpd_tls_key_file = /etc/pki/tls/private/email.asmith15.ops345.ca.key.pem
| |
− | smtpd_tls_cert_file = /etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
| |
− | tls_random_source = dev:/dev/urandom
| |
− | smtpd_tls_loglevel = 1
| |
− | </source>
| |
− | * test with telnet/EHLO: should say 250-STARTTLS
| |
− | * complete test will be done with thunderbird later
| |
− | * dovecot installed in previous lab, it needs very little configuration for our simple setup
| |
− | * /etc/dovecot/dovecot.conf:
| |
− | * Modify the protocols option so that Dovecot will work with IMAP connections, no POP3 or LMTP.
| |
− | * 10-ssl.conf:
| |
− | <source>ssl_cert = </etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
| |
− | ssl_key = </etc/pki/tls/private/email.asmith15.ops345.ca.key.pem</source>
| |
− | * ss should show port 993, no 995 or 110
| |
− | * there's no iptables running on email, so just open port 993 in ops345sgemail
| |
− | * configure thunderbird:
| |
− | ** IMAP: email.asmith15.ops345.ca, SSL 993, normal password, username without @domain
| |
− | ** SMTP: email.asmith15.ops345.ca, STARTTLS 25, normal password, username without @domain
| |
− | * tail -f /var/log/maillog and send a message from thunderbird
| |
− | * The message is not sent, because postfix is not configured to authenticate users. encryption alone is not enough.
| |
− | * https://www.xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
| |
− | ** except the SSL/TLS parameters part.
| |
− | * Send email again. Note the messages about connection timed out. We can't do anything about that in AWS Academy:
| |
− | ** https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/
| |
− | * There's more to do anyway to set up a real sending server, as a minimum DKIM/SPF but reverse DNS for the domain also helps.
| |
− | * https://aws.amazon.com/premiumsupport/knowledge-center/route-53-reverse-dns/
| |
− | * http://littlesvr.ca/grumble/2014/01/26/setting-up-sendmail-on-a-dynamic-ip-part2-spf/
| |
− | * Eventually the email you tried to send will bounce because that's a temporary error
| |