Tran Nghi's Site  - Make notes and share experience

Force IMAPS and SMTPS and AMAVIS TLS

This post is also available in: English

config postfix/dovecot using tls/ssl – force encrypt

ProtocolUsagePlain text/encrypted sessionEncrypted session only
POP3Incoming mail110995
IMAPIncoming mail143993
SMTPOutgoing mail25465
SubmissionOutgoing mail587

 

Disable IMAP protocol and force IMAPS

Older versions of dovecot had an array in the file: /etc/dovecot/dovecot.conf

If you find an entry called protocols make sure to uncomment it and remove the imap from it and add imaps. I would recommend that you don’t use pop3 or pop3s anymore!
However, in newer versions there is just an include specified by the entry

!include_try /usr/share/dovecot/protocols.d/*.protocol

(If you want to disable pop3 and pop3s make sure to delete /usr/share/dovecot/protocols.d/pop3d.protocol ;))

Okay, we could just ignore some warnings and add an entry like Dovecot did it before and add our own protocols array. This will result in something like this

Jul 17 22:01:22 dustplanet dovecot: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:104: ‘imaps’ protocol can no longer be specified (use protocols=imap). to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } }

Now we get a hint! Then below will show how I get it to work…

## Using below command, or edit in /etc/postfix/main.cf
postconf -e smtpd_tls_security_level=encrypt
postconf -e smtp_tls_security_level=encrypt

[email protected]:~# vi /etc/postfix/main.cf
## TLS settings
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/ssl/private/mail.infotechviet.com.key
smtpd_tls_cert_file = /etc/ssl/certs/mail.infotechviet.com.cert
## Something else right here...

## Then, make sure that you have this
smtpd_tls_security_level =  encrypt

## And this
smtp_tls_security_level = encrypt

## And something like this
smtp_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache 


[email protected]:~# vi /etc/postfix/master.cf
## Make sure that you have these un-commented. the first line has "y" for chroot
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

[email protected]:~# postfix reload
postfix: Postfix is running with backwards-compatible default settings
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
postfix/postfix-script: refreshing the Postfix mail system


[email protected]:~# vi /etc/dovecot/dovecot.conf
## SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
## PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
## dropping root privileges, so keep the key file unreadable by anyone but
## root. Included doc/mkcert.sh can be used to easily generate self-signed
## certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/certs/mail.infotechviet.com.cert
ssl_key = </etc/ssl/private/mail.infotechviet.com.key


[email protected]:~# vi /etc/dovecot/conf.d/10-master.conf
## Change the port of the inet_listener imap to 0
service imap-login {
  inet_listener imap {
    port = 0 # port = 143, was adjusted by Nghia Le
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }
}
## And this
service pop3-login {
  inet_listener pop3 {
    port = 0 #port = 110, was adjusted by Nghia Le
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

[email protected]:~# vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes # adjusted by Nghia Le

Ref: https://dustplanet.de/howto-force-imaps-and-smtps-nice-roundcube-features/

Amavis and TLS
You might use amavisd-new as a spam and virus filter.
Then it can occur that some of these messages show up in your mail.log and the mails are not send.

Jul 18 01:05:11 infotechviet amavis[18922]: (18922-01) discarding unprocessed reply: 221 2.0.0 Bye
Jul 18 01:05:11 infotechviet amavis[18922]: (18922-01) (!)mail_via_smtp: error during QUIT: errno=
Jul 18 01:05:11 infotechviet amavis[18922]: (18922-01) (!)FWD from <[email protected]> -> <[email protected]>,BODY=7BIT 451 4.5.0 From MTA(smtp:[127.0.0.1]:10025) during fwd-rundown-1 (Negative SMTP response to RSET: 530 5.7.0 Must issue a STARTTLS command first at (eval 134) line 1037.): id=18922-01
Jul 18 01:05:12 infotechviet amavis[18922]: (18922-01) Blocked MTA-BLOCKED {RejectedOpenRelay}, [xx.xxx.xx.xxx]:51262 <[email protected]> -> <[email protected]>, Queue-ID: A9334788D9, Message-ID: <[email protected]>, mail_id: kMVr0ucODUYs, Hits: 0.108, size: 691, 2165 ms
Jul 18 01:03:17 dustplanet postfix/smtp[18739]: 3AA33788B0: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.29, delays=0.27/0.01/0.01/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1])</[email protected]></[email protected]></[email protected]></[email protected]></[email protected]>

If so, you need to disable TLS for amavis to make sure mails can be send.

In /etc/postfix/master.cf add the following line to amavis service type

-o smtp_tls_security_level=none

and to 127.0.0.1:10025 the following

-o smtpd_tls_security_level=none

Other reference: https://www.namecheap.com/support/knowledgebase/article.aspx/9795/69/installing-and-configuring-ssl-on-postfixdovecot-mail-server

Message