Set-up SSL encrypted connection in Postfix, Dovecot and Apache

Set-up SSL encrypted connection in Postfix, Dovecot and Apache This article is part 3 of our part 1 mailserver set-up with virtual users and domains using Postfix and Dovecot on a CentOS 6 VPS and part 2 which explains how to install and set-up the Roundcube webmail interface

The following post will show you how to set-up SSL encrypted connection to our mailserver installation.

At the end of this article you will end-up using IMAP/POP3 over SSL (IMAPs/POP3s) SMTP over SSL (SMTPs) and Roundcube Webmail over SSL (HTTPS)

UPDATE THE SYSTEM

As always, make sure your CentOS 6 Linux VPS is fully up to date by executing:

## screen -U -S ssl-screen
## yum update

SET-UP SSL CERTIFICATE, KEY AND CSR

Next thing we are going to do, is to set-up the SSL certificate file and key. Do this by executing the following:

## yum install openssl
## mkdir -p ~/ssl/mydomain.com
## cd ~/ssl/mydomain.com
## openssl genrsa -des3 -out mydomain.com.key 2048
## openssl req -new -key mydomain.com.key -out mydomain.com.csr
## openssl x509 -req -days 365 -in mydomain.com.csr -signkey mydomain.com.key -out mydomain.com.crt
## cp mydomain.com.key{,.orig}
## openssl rsa -in mydomain.com.key.orig -out mydomain.com.key
## chmod 400 mydomain.com.key

## cp mydomain.com.crt /etc/pki/tls/certs
## cp mydomain.com.{key,csr} /etc/pki/tls/private/

SET-UP WEBMAIL OVER SSL

In order to have your Roundcube webmail system accessible over SSL encrypted connection you will need to set-up Apache’s mod_ssl interface to openssl by running the following commands:

## yum install mod_ssl
## vim +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

set the paths to the SSL certificate and private key

SSLCertificateFile /etc/pki/tls/certs/mydomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/mydomain.com.key

force SSL encrypted connection when accessing mydomain.com/webmail:

## vim /etc/httpd/conf.d/90-roundcube.conf

add the following:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?webmail/(.*) https://%{SERVER_NAME}/webmail/$1 [R,L]

finally, restart Apache for the changes to take effect and try to access http://mydomain.com/webmail

## service httpd restart

SET-UP IMAP/POP3 OVER SSL

In order to enable IMAPs and POP3s, you need to edit dovecot main configuration file (/etc/dovecot/dovecot.conf) and add/edit the following:

protocols = imap pop3

ssl = yes
ssl_cert = </etc/pki/tls/certs/mydomain.com.crt
ssl_key = </etc/pki/tls/private/mydomain.com.key

restart dovecot for the changes to take effect and verify it’s listening on its SSL ports using:

## service dovecot restart
## ss -tpl | grep -E 'imaps|pop3s'
LISTEN  0  0  *:imaps *:* users:(("dovecot",1955,22))
LISTEN  0  0  *:pop3s *:* users:(("dovecot",1955,18))

to test IMAPs or POP3s, simply set your email client to use the SSL port, for example for IMAPs 993 and for POP3s 995 and try to receive an email.


SET-UP SMTP over SSL

To enable SSL support in Postfix so you can send emails using SMTP over SSL, you need to edit two Postfix configuration files. Start with editing /etc/postfix/main.cf and add the following:

## vim /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_key_file  = /etc/pki/tls/private/mydomain.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mydomain.com.crt

smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

then edit /etc/postfix/master.cf and make sure the following line is not commented:

## vim +/smtps /etc/postfix/master.cf
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

restart Postfix for the change to take effect and verify it is listening on its SSL port using:

## service postfix restart

## ss -tnpl | grep 465
LISTEN 0 0  *:465 *:* users:(("master",2119,19))

test SMTPs by setting up your email client to use outgoing port 465.


Implementing SSL encrypted connections to the mailserver set-up with virtual users and domains using Postfix and Dovecot and to the Roundcube webmail interface on a CentOS VPS provide you SSL encrypted connection for outbound and inbound emails.

However, there are other parts missing like anti-spam service, digital signatures using opendkim, filter rules etc for a full-featured mail server. In the next few related articles, we will be adding additional features to the set-up so stay tuned.

Update: Part 4 – How to install and integrate SpamAssassin with Postfix on a CentOS 6 VPS

Update: Part 5 – How to install and integrate OpenDKIM with Postfix on a CentOS 6 VPS

Update: Part 6 – How to set-up server-side email filtering with Dovecot Sieve and Roundcube on a CentOS 6 VPS


Of course, if you are one of our Linux VPS Hosting customers, you don’t have to do any of this, simply ask our admins, sit back and relax. Our admins will set this up for you immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

10 thoughts on “Set-up SSL encrypted connection in Postfix, Dovecot and Apache”

  1. Hi.. thank you for this tuto..
    Work fine, but how we can send email from any ip adress for any authenticated user (without having to add it on mynetwork=) ??

    Also, please: How we can enforce TLS beetween smtp servers when sending/receiving email ??

    Thank you.

    Reply
    • If you followed our guide at https://www.rosehosting.com/blog/mailserver-with-virtual-users-and-domains-using-postfix-and-dovecot-on-a-centos-6-vps/ you should be able to accomplish this by using SASL.

      To enable TLS in Postfix add:

      smtpd_use_tls = yes
      smtpd_tls_key_file = /etc/pki/tls/private/mydomain.com.key
      smtpd_tls_cert_file = /etc/pki/tls/certs/mydomain.com.crt

      smtpd_tls_loglevel = 3
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_timeout = 3600s
      tls_random_source = dev:/dev/urandom

      in your /etc/postfix/main.cf

      Also, you will need to add:

      smtps inet n – n – – smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes

      in your /etc/postfix/master.cf and restart Postfix.

      Reply
  2. Thank you, yes I have already added this settings in my config but not work : i can send to local domain only.. but I am not using “smtps inet” but “submission inet” .

    Reply
  3. Hi,

    I am having problems with SMTP with SSL. I’m trying to connect my email from my own domain to my Outlook personal email but I could not do it without errors.

    Outlook: There’s a problem connecting to the SMTP mail server.

    Here’s the log:
    Dec 20 11:08:39 vpn01 postfix/smtpd[3156]: lost connection after CONNECT from unknown[65.55.41.7]
    Dec 20 11:08:39 vpn01 postfix/smtpd[3156]: disconnect from unknown[65.55.41.7]
    Dec 20 11:08:39 vpn01 postfix/smtpd[3156]: connect from unknown[65.55.41.7]
    Dec 20 11:08:39 vpn01 postfix/smtpd[3156]: setting up TLS connection from unknown[65.55.41.7]
    Dec 20 11:08:39 vpn01 postfix/smtpd[3156]: unknown[65.55.41.7]: TLS cipher list “ALL:!EXPORT:!LOW:+RC4:@STRENGTH”
    Dec 20 11:08:39 vpn01 postfix/smtpd[3156]: SSL_accept:before/accept initialization
    Dec 20 11:08:39 vpn01 postfix/smtpd[3156]: read from 7F629C886490 [7F629C8C2840] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
    Dec 20 11:08:41 vpn01 postfix/smtpd[3156]: SSL_accept error from unknown[65.55.41.7]: -1
    Dec 20 11:08:41 vpn01 postfix/smtpd[3156]: lost connection after CONNECT from unknown[65.55.41.7]
    Dec 20 11:08:41 vpn01 postfix/smtpd[3156]: disconnect from unknown[65.55.41.7]

    Here’s my netstat:
    root@vpn01 ~]# netstat -tlunp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 3147/master
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1020/sshd
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3147/master
    tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 3045/dovecot
    tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 3045/dovecot
    tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 3147/master
    tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 3045/dovecot
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 3045/dovecot
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 952/rpcbind
    tcp 0 0 :::22 :::* LISTEN 1020/sshd
    tcp 0 0 :::993 :::* LISTEN 3045/dovecot
    tcp 0 0 :::995 :::* LISTEN 3045/dovecot
    tcp 0 0 :::110 :::* LISTEN 3045/dovecot
    tcp 0 0 :::143 :::* LISTEN 3045/dovecot
    tcp 0 0 :::111 :::* LISTEN 952/rpcbind
    tcp 0 0 :::80 :::* LISTEN 1131/httpd
    udp 0 0 0.0.0.0:703 0.0.0.0:* 952/rpcbind
    udp 0 0 0.0.0.0:111 0.0.0.0:* 952/rpcbind
    udp 0 0 0.0.0.0:1194 0.0.0.0:* 978/openvpn
    udp 0 0 :::703 :::* 952/rpcbind
    udp 0 0 :::111 :::* 952/rpcbind
    [root@vpn01 ~]#

    Connecting without SSL works fine though.

    I’m not really sure what’s wrong with this. :(

    Thanks,
    JP

    Reply

Leave a Comment