PFS / Letsencrypt for Postfix/Dovecot/PureFTPd/mariadb

If you have your hosts FQDN in ISPConfig and made a valid Letsencrpyt-Cert for it, you can use it for mail, too.
as described in https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/

use the guid mentioned above for your fqdn certs, don't use the paths I have chosen here , I'll update if I have time...however, it works together

update your config files for dovecot,postfix and pureftp using this script:

/usr/local/bin/fixserviceconfigs.sh

Code:

#!/bin/sh
hostname=`hostname -f`
postconf -e "smtp_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem"
postconf -e "smtpd_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem"
postconf -e "smtpd_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem"
postconf -e "smtpd_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem"
postconf -e "smtp_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem"
postconf -e "smtp_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem"
postconf -e "tls_preempt_cipherlist      = yes"
postconf -e "smtpd_tls_mandatory_ciphers = high"
postconf -e "smtpd_use_tls = yes"
postconf -e "smtpd_tls_security_level = may"
postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3"
postconf -e "tlsproxy_tls_protocols = \$smtpd_tls_protocols"
postconf -e "tlsproxy_tls_mandatory_protocols = \$smtpd_tls_mandatory_protocols"
postconf -e "smtp_tls_protocols = !SSLv2,!SSLv3"
postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3"
postconf -e "lmtp_tls_protocols = !SSLv2,!SSLv3"
postconf -e "lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3"
postconf -e "smtpd_tls_ciphers = medium"
postconf -e "smtp_tls_ciphers = medium"
postconf -e "smtpd_tls_eecdh_grade = strong"
postconf -e "smtpd_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL"
postconf -e "smtp_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL"

postconf -e "smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache"
postconf -e "smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache"
postconf -e "smtpd_tls_dh1024_param_file = \${config_directory}/dh2048.pem"
postconf -e "smtpd_tls_dh512_param_file = \${config_directory}/dh512.pem"

postconf -e "policyd-spf_time_limit = 3600"
postconf -e "opendmarc_milter = unix:var/run/opendmarc/opendmarc.sock"
postconf -e "smtputf8_enable = no"
postconf -e "bounce_notice_recipient = postmaster@$hostname"

postfix_master_conf=`cat /etc/postfix/master.cf`
if [[ $postfix_master_conf != *"policyd-spf"* ]]; then
    postconf -M policyd-spf/spawn="policyd-spf  unix  -       n       n       -       0       spawn user=nobody argv=/usr/bin/policyd-spf"
fi

postconf -e "policyd-spf_time_limit = 3600"
smtpd_recipient_restrictions=`postconf -p smtpd_recipient_restrictions`
if [[ $smtpd_recipient_restrictions != *"check_policy_service unix:private/policyd-spf,"* ]]; then
    sed -i 's/reject_unauth_destination,/reject_unauth_destination,check_policy_service unix:private\/policyd-spf,/' /etc/postfix/main.cf
fi
postconf -P "smtp/inet/smtpd_milters=\${opendmarc_milter}"
postconf -e "opendmarc_milter=unix:var/run/opendmarc/opendmarc.sock"

echo 'HIGH:!CAMELLIA' > /etc/pure-ftpd/conf/TLSCipherSuite

dovecot_conf=`cat /etc/dovecot/dovecot.conf`
if [[ $dovecot_conf != *"!include conf.d/10-ssl.conf"* ]]; then
    echo "!include conf.d/10-ssl.conf" >> /etc/dovecot/dovecot.conf
fi

/usr/sbin/service postfix reload
/usr/sbin/service dovecot restart
/usr/sbin/service pure-ftpd-mysql restart

Modify /etc/dovecot/conf.d/10-ssl.conf

Code:

ssl = yes
ssl_cert = </etc/letsencrypt/live/<FQDN>fullchain.pem
ssl_key = </etc/letsencrypt/live/<FQDN>/privkey.pem
ssl_dh_parameters_length = 2048
ssl_protocols = !SSLv3
ssl_cipher_list = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv3
ssl_prefer_server_ciphers = yes

it can be used using incron on dovecot.conf ect. so these settings won't get overwritten for a long time

If you run postfix in chroot, well you need to copy some files of course.


Add a cronjob /etc/cron.daily/fixcerts ( change <FQDN> again )

Code:

#!/bin/sh
cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/ssl/private/pure-ftpd.pem
#cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/monit/monit.pem
#chmod 600 /etc/monit/monit.pem

chmod 600 /etc/ssl/private/pure-ftpd.pem

cd /etc/postfix
umask 022
openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
chmod 644 dh512.pem dh1024.pem dh2048.pem
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
rm /var/lib/dovecot/ssl-parameters.dat
/usr/sbin/service postfix reload
/usr/sbin/service dovecot restart
/usr/sbin/service pure-ftpd-mysql restart

You don't need the monit part, did I mention I'm lazy as f ...
make it executable and run it at least one

Code:

chmod +x /etc/cron.daily/fixcerts
/etc/cron.daily/fixcerts

so what about mysql?
This works for mariadb 10.3 using debian 9
assuming the ispcerts have been symlinked according to your script.

Code:

cp /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/mysql/mysql.pem
openssl rsa -in /usr/local/ispconfig/interface/ssl/ispserver.key -out /etc/mysql/mysql.crt
chown mysql:mysql /etc/mysql/mysql.crt
chown mysql:mysql /etc/mysql/mysql.pem
chmod 400 /etc/mysql/mysql.crt
chmod 400 /etc/mysql/mysql.pem

and no, you can't simply symlink those, it won't read.

change your /etc/mysql/mariadb.conf.d/50-server.cnf

service mysql restart

 

Hi,
as you can see i have a related dovecot/postfix issue. The problem with your setup is it will break after an ISPConfig update as the dovecot.conf and the postfix/main.cf get replaced/overwritten.

I also would recommend leaving the paths to the certificates unchanged and create a symlink at the path of the certificates that points to the letsencrypt directory.

 

that is exactly what isn't working in my case. But nevermind, maybe busines-support can handle it.

 

Hello,

I go a letsencrypt Certificate for mydomain.de.
When I made the changes I get an Error when I test the mailserver.

Cert Hostname DOES NOT VERIFY (mail. mydomain.de != mydomain. de | DNS:mydomain. de | DNS:www. mydomain .de)

Do I have to make additional changes in DNS configuartion with the hoster oder any changes on my configs ?

regards,
Ralph

 

if the cert doesn't match it's not the same

your server has a hostname, maybe a seperate mailname. The mailname is set in postfix' main.cf and should be the same name as
the IPs reverse DNS is resolving to.
And for that name you'll need a SSL cert which can then be used. If you use the mailname to connect to your mailserver, there shouldn't be a cert issue.

 

OK,

in main.cf there are two sections

myhostsname sxxxxx.providernameverver.de

mydestination = sxxxxx.providernameverver.de, localhost, localhost.localdomain

My domain ist mydomain.de

where should I change.

 

I assume numbers where the x are. Unfortunally having numbers as part of subdomains often triggers dial-up anti-spam filters.
Basically you shouldn't need to change anything there, just create a LE cert ( create a website, tick SSL/LE ) and use it for your services.

You can change it to something like mail.yourdomain.de , you need to have a valid A/AAAA record for mail.yourdomain.de ; RDNS of the IP should point to mail.yourdomain.de and then change the sxxx entry to mail.yourdomain.de & make sure your mailserver greets you with that name.

 

The numbers are given from the provider in order to use it before any domain ist registered (i think)

I created the LE cert with ispconfig and pointed it to postfix, there are some tutorials here, so I thougt I can use ist for mail and the Server itself. They even write ist so. LE also provides wildcard certificates, maybe I should use this, but how.
I changed in the main.cnf (postfix) to mail.mydomain.de nothing changes, same error.

I think the reverse lookup gives the mydomain.de and not mail.mydomain.de

I have in the dns configuration only a A record, there never has been AAAA record.

So your idea is to create with ispconfig a site with mail.mydomain.de and create the LE/SSL. Then point postfix certificate to the live cert in LE ?

regards, Ralph

 

yes, but this one is actually a good idea to consider:

if you don't take part of the glorious ip-future, you don't have to use AAAA
if you can't change the reverse DNS entry of your IP, don't change the greeting of your MTA - it has to match. Ask your provider, some have no function for that using their web interface but do change it on request ( if you want to change the default that is )

edit: oh and this one:

didn't know this feature existed ... need to check it - would be happy as f ... yeah debian users loves the pain

 

Bingo, it works !!!!

Thanks, hope that the renew also works.

Have a nice weekend,
Ralph

 

Hy,

I got now a new Problem after all seems to work fine.

After I checked my Domain with mxtoolbox I get an error.

I enterd the test with mydomain.de

smtp mail.mydomain.de Reverse DNS Resolution - No PTR Record found

I dont know where to set the PTR record, is it made in the DNS konfiguation at the provider ?

Ralph

 

if you don't have an option to set your PTR/rDNS record you might need to contact your provider and ask to set it.
you can check your current entry using

Code:

$dig +noall +answer -x 8.8.4.4

which gives you google-public-dns-b.google.com. as rDNS:

 

This commad does not work on may debian system

The command gives a blank line back, seems the ptr is not set.

maybe i have to ask the provider

 

I try to specify the Problem, I dont know if its right here in this Thread.

I have a LE certificate for my domain mydomain.de
An other LE for mail.mydomain.de
I use a vserver and the internall servername is : v9339166.providernameverver.de

I have more than one domain on it

In the postfix main.cf is : myhostsname v9339166.providernameverver.de


Now I got an error when sending mails :

host mx00.kundenserver.de[212.227.15.xxx] refused to talk to me: 554-kundenserver.de (mxeue011) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=185.158.212.xxx
May 28 13:25:00 v9339166 postfix/smtp[32275]: 7806A9E4A2: to=<[email protected]>, relay=mx01.kundenserver.de[217.72.192.xxx]:25, delay=0.09, delays=0.01/0.01/0.07/0, dsn=4.0.0, status=deferred (host mx01.kundenserver.de[217.72.192.xxx] refused to talk to me: 554-kundenserver.de (mxeue111) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=185.158.212.xxx)

The MX record is :

mydomain.de 3600 IN MX 10 mail.mydomain.de

TX record
mydoman.de 3600 IN TX 0 v=spf1 mx a a:mx.providername.de ~all

 

it is all correct - and you're right, you may not have a PTR record at all, go speak with your provider.
and read the logs... it screams

 

I contacted my provider and he showed me to configure the PTR.

Right now all workes fine.

Thanks, Ralph

 

I have not found anything I could abuse to make ispconfig be aware on few config options for postfix, maybe need a custom-conf plugin like for php/apache...

However I changed the cron slightly:

Code:

#!/bin/sh
hostname="<fqdn>"
postconf -e "smtp_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem"
postconf -e "smtpd_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem"
postconf -e "smtpd_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem"
postconf -e "smtpd_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem"
postconf -e "smtp_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem"
postconf -e "smtp_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem"
postconf -e "tls_preempt_cipherlist      = yes"
postconf -e "smtpd_tls_mandatory_ciphers = high"
postconf -e "smtpd_use_tls = yes"
postconf -e "smtpd_tls_security_level = may"
postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3"
postconf -e "tlsproxy_tls_protocols = \$smtpd_tls_protocols"
postconf -e "tlsproxy_tls_mandatory_protocols = \$smtpd_tls_mandatory_protocols"
postconf -e "smtp_tls_protocols = !SSLv2,!SSLv3"
postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3"
postconf -e "lmtp_tls_protocols = !SSLv2,!SSLv3"
postconf -e "lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3"
postconf -e "smtpd_tls_ciphers = medium"
postconf -e "smtp_tls_ciphers = medium"
postconf -e "smtpd_tls_eecdh_grade = strong"
postconf -e "smtpd_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL"
postconf -e "smtp_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL"

postconf -e "smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache"
postconf -e "smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache"
postconf -e "smtpd_tls_dh1024_param_file = \${config_directory}/dh2048.pem"
postconf -e "smtpd_tls_dh512_param_file = \${config_directory}/dh512.pem"

echo 'HIGH:!CAMELLIA' > /etc/pure-ftpd/conf/TLSCipherSuite
cat /etc/letsencrypt/live/$hostname/privkey.pem /etc/letsencrypt/live/$hostname/cert.pem > /etc/ssl/private/pure-ftpd.pem
cat /etc/letsencrypt/live/$hostname/privkey.pem /etc/letsencrypt/live/$hostname/cert.pem > /etc/monit/monit.pem
chmod 600 /etc/monit/monit.pem

chmod 600 /etc/ssl/private/pure-ftpd.pem

cd /etc/postfix
umask 022
openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
chmod 644 dh512.pem dh1024.pem dh2048.pem
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

/usr/sbin/service postfix reload
/usr/sbin/service dovecot reload
/usr/sbin/service pure-ftpd-mysql restart

sure I would not really need that as admin, but if you setup a server for someone and he does some updates ... it's easier to tell him just to run the cron or simply wait ^^

 

editbump: added mysql