Tran Nghi's Site  - Make notes and share experience

Force IMAPS and SMTPS and AMAVIS TLS

config postfix/dovecot using tls/ssl – force encrypt

Protocol Usage Plain text/encrypted session Encrypted session only
POP3 Incoming mail 110 995
IMAP Incoming mail 143 993
SMTP Outgoing mail 25 465
Submission Outgoing mail 587

 

Disable IMAP protocol and force IMAPS

Older versions of dovecot had an array in the file: /etc/dovecot/dovecot.conf

If you find an entry called protocols make sure to uncomment it and remove the imap from it and add imaps. I would recommend that you don’t use pop3 or pop3s anymore!
However, in newer versions there is just an include specified by the entry

!include_try /usr/share/dovecot/protocols.d/*.protocol

(If you want to disable pop3 and pop3s make sure to delete /usr/share/dovecot/protocols.d/pop3d.protocol ;))

Okay, we could just ignore some warnings and add an entry like Dovecot did it before and add our own protocols array. This will result in something like this

Jul 17 22:01:22 dustplanet dovecot: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:104: ‘imaps’ protocol can no longer be specified (use protocols=imap). to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } }

Now we get a hint! Then below will show how I get it to work…

## Using below command, or edit in /etc/postfix/main.cf
postconf -e smtpd_tls_security_level=encrypt
postconf -e smtp_tls_security_level=encrypt

[email protected]:~# vi /etc/postfix/main.cf
## TLS settings
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/ssl/private/mail.infotechviet.com.key
smtpd_tls_cert_file = /etc/ssl/certs/mail.infotechviet.com.cert
## Something else right here...

## Then, make sure that you have this
smtpd_tls_security_level =  encrypt

## And this
smtp_tls_security_level = encrypt

## And something like this
smtp_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache 


[email protected]:~# vi /etc/postfix/master.cf
## Make sure that you have these un-commented. the first line has "y" for chroot
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

[email protected]:~# postfix reload
postfix: Postfix is running with backwards-compatible default settings
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
postfix/postfix-script: refreshing the Postfix mail system


[email protected]:~# vi /etc/dovecot/dovecot.conf
## SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
## PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
## dropping root privileges, so keep the key file unreadable by anyone but
## root. Included doc/mkcert.sh can be used to easily generate self-signed
## certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/certs/mail.infotechviet.com.cert
ssl_key = </etc/ssl/private/mail.infotechviet.com.key


[email protected]:~# vi /etc/dovecot/conf.d/10-master.conf
## Change the port of the inet_listener imap to 0
service imap-login {
  inet_listener imap {
    port = 0 # port = 143, was adjusted by Nghia Le
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }
}
## And this
service pop3-login {
  inet_listener pop3 {
    port = 0 #port = 110, was adjusted by Nghia Le
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

[email protected]:~# vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes # adjusted by Nghia Le

Ref: https://dustplanet.de/howto-force-imaps-and-smtps-nice-roundcube-features/

Amavis and TLS
You might use amavisd-new as a spam and virus filter.
Then it can occur that some of these messages show up in your mail.log and the mails are not send.

Jul 18 01:05:11 infotechviet amavis[18922]: (18922-01) discarding unprocessed reply: 221 2.0.0 Bye
Jul 18 01:05:11 infotechviet amavis[18922]: (18922-01) (!)mail_via_smtp: error during QUIT: errno=
Jul 18 01:05:11 infotechviet amavis[18922]: (18922-01) (!)FWD from <[email protected]> -> <[email protected]>,BODY=7BIT 451 4.5.0 From MTA(smtp:[127.0.0.1]:10025) during fwd-rundown-1 (Negative SMTP response to RSET: 530 5.7.0 Must issue a STARTTLS command first at (eval 134) line 1037.): id=18922-01
Jul 18 01:05:12 infotechviet amavis[18922]: (18922-01) Blocked MTA-BLOCKED {RejectedOpenRelay}, [xx.xxx.xx.xxx]:51262 <[email protected]> -> <[email protected]>, Queue-ID: A9334788D9, Message-ID: <[email protected]>, mail_id: kMVr0ucODUYs, Hits: 0.108, size: 691, 2165 ms
Jul 18 01:03:17 dustplanet postfix/smtp[18739]: 3AA33788B0: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.29, delays=0.27/0.01/0.01/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1])</[email protected]></[email protected]></[email protected]></[email protected]></[email protected]>

If so, you need to disable TLS for amavis to make sure mails can be send.

In /etc/postfix/master.cf add the following line to amavis service type

-o smtp_tls_security_level=none

and to 127.0.0.1:10025 the following

-o smtpd_tls_security_level=none

Other reference: https://www.namecheap.com/support/knowledgebase/article.aspx/9795/69/installing-and-configuring-ssl-on-postfixdovecot-mail-server

Message