Home / Community / Blog

Secure mail using Let's encrypt certificates

16/09/2017 12:07 am

Jakub Walczak

Tags: security , server , e-mail

You can use Let's encrypt certificates to secure communication with your e-mail server.

After you generate certificate for your mail server:

certbot-auto certonly --apache --non-interactive --agree-tos \
--email me@mydomian -d mail.jaqb.gda.pl

they have to be copied to new location because Postfix/CyrusIMAP cannot read them, the /etc/letsencrypt/live directory can be read only by root.

The solution is simple. I've copied them into /etc/postfix directory and change group to mail:

cp /etc/letsencrypt/live/mail.jaqb.gda.pl/cert.pem \
                                      /etc/postfix/cert.pem
cp /etc/letsencrypt/live/mail.jaqb.gda.pl/privkey.pem \
                                      /etc/postfix/privkey.pem
cp /etc/letsencrypt/live/mail.jaqb.gda.pl/fullchain.pem \
                                      /etc/postfix/fullchain.pem

chgrp mail /etc/postfix/cert.pem /etc/postfix/privkey.pem \
/etc/postfix/fullchain.pem

I've added this commands to /etc/cron.monthly/letsencrypt-auto.bash file (from my last post).

Of course you have to set that appropriate options, at least in /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/privkey.pem
smtpd_tls_CAfile = /etc/postfix/fullchain.pem

and in /etc/imapd.conf:

tls_cert_file: /etc/postfix/cert.pem
tls_key_file: /etc/postfix/privkey.pem
tls_ca_file: /etc/postfix/fullchain.pem

After restart:

/etc/init.d/postfix restart
/etc/init.d/cyrus-imapd restart

everything should work. Good luck!

Add comment

Greylisting with postgrey

01/06/2015 11:47 pm

Jakub Walczak

Tags: server , e-mail

First installation. It's simple

yum install postgrey

Turn on automatic start:

chkconfig postgrey on

Check:

chkconfig --list postgrey
postgrey        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Add 

, check_policy_service unix:/var/spool/postfix/postgrey/socket

in main.cf file as last element smtpd_recipient_restrictions option:

Now it looks like this:

smtpd_recipient_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination,
 reject_unknown_recipient_domain,
 check_policy_service unix:/var/spool/postfix/postgrey/socket

Restart postfix. Done.

You can check in maillog if it works:

grep postgrey /var/log/maillog

Add comment

RoundCubeMail download all attachments

14/03/2015 1:52 pm

Jakub Walczak

Tags: server , e-mail

If you want be able to download all attachments at once you have to explicitly enable zipdownload plugin in config.inc.php file:

$config['plugins'] = array( ...  , 'zipdownload' ... );

so simple...

Add comment

apache ARM AVR backup bash bezpieczeństwo CAD CAM CMS containers cron CSS cyrus database docker DSO203 DVD eAccelerator Eclipse elektronika ELM327 e-mail entertainment EPROM ez Publish firma fun GIMP GnuCash GPS GSM home automation HTML InO iso ISP JTAG KiCAD LaTeX LDAP LEGO Linux mc MQTT MRTG multimedia multimetia OpenOffice PAWN PDF plone poczta PostgreSQL programowanie python Redmine ruby SAN SE Linux security server serwer sieć sport SQL stm32 svn tmpwatch trac udev UML USB virtualization windows wine

Just my blog...

Tags

Archive

July 2023

Mon Tue Wed Thu Fri Sat Sun
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31