932
edits
Changes
m
smtpd_tls_auth_only = nosmtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.org.keysmtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.org.crt
Removing a duplicate paramter.
According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security), '''Transport Layer Security''' (TLS) and its predecessor, '''Secure Sockets Layer''' (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.
Normally (in production), you would need to pay a "certificate authority" to issue a '''certificate''' for you. That is essentially '''a "signed" public key''' that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statemen,t statement but that is mainlyy mainly how public key encryption works on the Internet today.
We will be generating our own public keys, mainly in order to avoid paying for a certificate. We will not have enough time to get into the details of what all the following commands do in this section. They are from [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix this blog post]. If you don't understand what the blog post refers to but would like to understand in more details, a good recommended book for interest, called Crypto by Steven Levy, provides a more in-depth discussion of encryption and security.
#Let's start with the "sending" SMTP server we have on VM2. Run the following, replacing <u>andrewsmith.org</u> with '''<u>your</u> domain name''':
<source lang="bash">mkdir -p /root/postfix-keys /etc/ssl/{private,certs}cd /root/postfix-keys
openssl genrsa -des3 -out vm2.andrewsmith.org.key 2048
chmod 600 vm2.andrewsmith.org.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm2.andrewsmith.org.key cakey.pem
cp vm2.andrewsmith.org.key cakey.pem /etc/ssl/private/cp vm2.andrewsmith.org.crt cacert.pem /etc/ssl/certs/</source>
::'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and a sign your certificate with your certificate authority.<br>This would be the same as in the real world except there you would contact a real CA, here you're making up your own.
<ol><li value="2">Now, configure Postfix to use the generated certificate, by adding the following to your '''main.cf''' file:</li></ol>
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
tls_random_source = dev:/dev/urandom
# Let's start by generating a new certificate for Dovecot on your vm3 machine by issuing the following commands:
<source lang="bash">mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm3.andrewsmith.org.key 2048
chmod 600 vm3.andrewsmith.org.key
openssl req -new -key vm3.andrewsmith.org.key -out vm3.andrewsmith.org.csr
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm3.andrewsmith.org.key cakey.pem
cp vm3.andrewsmith.org.key cakey.pem /etc/ssl/private/cp vm3.andrewsmith.org.crt cacert.pem /etc/ssl/certs/</source>
::'''NOTE:''' This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine (i.e. you can share the certificate between them). In our case, they are not on the same machine.
<ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''dovecot.cont''', '''10-auth.conf''' , <u>and</u> '''10-ssl.conf''' files and change the following settings:</li></ol>
<source lang="bash">ssl = required
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''
==INVESTIGATION 2: OTHER EMAIL CONSIDERATIONS (NOT COVERED IN THIS LAB)==
==EXPLORATION QUESTIONS==
#Briefly define the term '''TSL'''.#Briefly define the term '''SSL'''.#List the steps to setup Encryption for Postfix with TLS.#List the steps to setup Encryption for Dovecot with SSL.#List the steps to setup Encryption for the Thunderbird application.#Provide a brief description of the following terms as they relate to mail servers:#*'''Open Relay'''#*'''SPF'''#*'''DKIM'''