932
edits
Changes
m
protocols = imaps (instead of imap)</source>
Updating commands and clarifying instructions in investigation 1.
:* '''Email (the way the vast majority of people use it) travels from SMTP server to SMTP server uncencrypted'''.
:: That means that nothing sent over email is <u>truly</u> secure. But attempting to continually intercepting intercept SMTP server to SMTP server traffic is difficult and expensive, not worth doing for the little bit of money most of us have in our bank account.
:* '''Email travelling over a LAN (especially Wifi, but any local network) is always encrypted'''.
:: If e-mail traffic on a LAN was not encrypted, it would be easy and inexpensive to intercept (in order to obtain your username and password). These days, unencrypted connections from your client to your SMTP/IMAP/POP3 server very rarely exist.
You see in our diagram that one of the SMTP connections is supposed to be encrypted (this is the one that would be "LAN" traffic) and the IMAP connection as well (this one is either LAN-like traffic or is connecting to localhost, which is a different scenario altogether).
#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.org''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').
# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.
#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:
=== Encryption Dovecot with Secure Socket layer (SSL) ===
Now we will ensure that our '''Dovecot''' connection is secure, and enforce that policy. With SMTP, you will need to allow plain text connections since that is the only method to pass email from server-to-server. With IMAP, there is no server-to-server interaction, but rather only client-to-server interaction. The reason to have an unencrypted IMAP connection would be if your '''IMAP server''' and '''IMAP client''' were the <u>same</u> machine (this would be the situation when using webmail).
'''Perform the following steps:'''
cp vm3.andrewsmith.org.crt cacert.pem /etc/ssl/certs</source>
::'''NOTE:''' This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine (i.e. you can share the certificate between them). In our case, they are not on the same machine.
<ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''dovecot.cont''', '''10-auth.conf''', <u>and</u> '''10-ssl.conf''' files and change the following settings(note: these parameters already exist in those files, just find them and set them to the correct value):</li></ol>
<source lang="bash">ssl = required
ssl_key = <path_to_your_key_file
disable_plaintext_auth = yes
<ol><li value="3">Now, we will disable normal imap connections, leaving only imaps (secured imap) allowed. Edit the '''10-master.conf''' file and set the port number in '''inet_listener imap''' to '''0'''.</li><li>Your key/certificate doesn't have a '''.pem''' extension but they are PEM-encoded files. You can confirm that using the '''file''' command. If you're interested, learning more about configuring Dovecot for SSL, refer to the following documentation: [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration].</li></ol>
=== Verifying that Mail Messages are Encrypted===
#Use the '''ss''' command to confirm you're only listening on the '''imaps''' port, and not the plain imap port.
#Next, reconfigure your account settings in Thunderbird to use the '''SSL/TLS''' connection security with your IMAP server, leaving the password as '''Normal Password'''.
::'''NOTE:''' You When you send your test email, you will get a another warning because you're using a self-signed certificate, in that case, make on '''vm3'''. Make certain to authorize the exception.
'''Record steps, commands, and your observations on this investigation in your OPS335 lab log-book'''