How can I require SSL in ISPConfig 3/Ubuntu 9.10 perfect setup?

just finished the ubuntu 9.10 perfect setup with ispconfig 3. basic, unencrypted e-mail works as expected. is it possible to require ssl and secure smtp only for pop3? ports 995 and 465, respectively.

i would like the m$ outlook 2007 wizard to auto-configure on the first attempt. i think this attempt uses the above mentioned ports.

thanks in advance!

 

i just realized the tutorial mentioned tls is supported. is it not setup by default? outlook can't even configure the encrypted connection.

/etc/postfix/main.cf:

Code:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = server6.[B]mydomain[/B].com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server6.[B]mydomain[/B].com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0

/etc/postfix/sasl/smtpd.conf:

Code:

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: ispconfig
sql_passwd: [B]mysqlrootpassword[/B]
sql_database: dbispconfig
sql_select: select password from mail_user where email = '%u'

 

there are some smtpd_sasl and smtpd_tls lines, but they all look to be commented out. should i uncomment all of them? the postfix documentation is huge--what section(s) should i visit to figure out which items i need to uncomment/add/remove?

/etc/postfix/master.cf

Code:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient
} ${user} ${nexthop} ${sender}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}


amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_c
hecks
        -o smtpd_bind_address=127.0.0.1

 

i did that, restarted saslauthd and postfix. no luck

can i tell which ports on which outlook is attempting connection?

/var/log/mail.log is telling me:

Code:

Feb 23 06:50:47 server6 imapd-ssl: Disconnected, ip=[::ffff:[B]my.ip.address[/B]], time=0, starttls=1
Feb 23 06:50:47 server6 imapd-ssl: Unexpected SSL connection shutdown.

 

i suppose i can configure whatever ports i want in whatever client im using...i just need to know which ports. which mail client do you recommend?

nmap localhost tells me pop3s and smtps are listening...maybe my configuration is wrong.

nmap localhost

Code:

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
143/tcp   open  imap
443/tcp   open  https
465/tcp   open  smtps
993/tcp   open  imaps
995/tcp   open  pop3s
3306/tcp  open  mysql
8080/tcp  open  http-proxy
10024/tcp open  unknown
10025/tcp open  unknown

 

can i test that pop3s is running on 995 and smtps on 465 without an email client? telnet localhost 995/465 just produces errors.

 

What's the output of

Code:

netstat -tap

?

 

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:smtp                  *:*                     LISTEN      5550/master
tcp        0      0 *:https                 *:*                     LISTEN      25005/apache2
tcp        0      0 localhost:10024         *:*                     LISTEN      24248/amavisd (mast
tcp        0      0 localhost:10025         *:*                     LISTEN      5550/master
tcp        0      0 *:mysql                 *:*                     LISTEN      23962/mysqld
tcp        0      0 *:http-alt              *:*                     LISTEN      25005/apache2
tcp        0      0 *:www                   *:*                     LISTEN      25005/apache2
tcp        0      0 *:ssmtp                 *:*                     LISTEN      5550/master
tcp        0      0 server6.[B]mydomain[/B]:domain *:*                     LISTEN      25030/mydns
tcp        0      0 localhost:domain        *:*                     LISTEN      25030/mydns
tcp        0      0 *:ftp                   *:*                     LISTEN      25024/pure-ftpd (SE
tcp        0      0 *:ssh                   *:*                     LISTEN      1291/sshd
tcp        0      0 localhost:36300         localhost:mysql         ESTABLISHED 24495/amavisd (ch6-
tcp        0     52 server6.[B]mydomain[/B]:ssh [B]LAN.IP[/B]:2062       ESTABLISHED 1498/sshd: administ
tcp        0      0 localhost:mysql         localhost:36300         ESTABLISHED 23962/mysqld
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      24939/couriertcpd
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      24975/couriertcpd
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      24954/couriertcpd
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      24918/couriertcpd
tcp6       0      0 localhost:domain        [::]:*                  LISTEN      25030/mydns
tcp6       0      0 [::]:ftp                [::]:*                  LISTEN      25024/pure-ftpd (SE
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      1291/sshd

 

Looks good.

 

which error logs can i check to see why outlook isnt connecting on 995 and 465? note: on my windows client, i have set a host file entry since my test box is on my LAN (LAN-IP my-domain.tld)

/var/log/syslog

Code:

Feb 25 11:09:37 server6 postfix/smtpd[11268]: SSL_accept error from unknown[[B]CLIENT.LAN.IP[/B]]: -1
Feb 25 11:09:37 server6 postfix/smtpd[11268]: lost connection after CONNECT from unknown[[B]CLIENT.LAN.IP[/B]]
Feb 25 11:09:37 server6 postfix/smtpd[11268]: disconnect from unknown[[B]CLIENT.LAN.IP[/B]]

 

Thunderbird gives me a yellow light for smtp (secure, but unrecognized cert--i think this is ok as per the tutorial), but only connects via IMAP (143) for outgoing server. this is not secure, correct?

i try to set it to pop3 and port 995 with the different types of encryption with no luck.

 

I think you mean the incoming server... ?

 

oops...incoming server, yes. port 143 is not even secure IMAP, right? I need secure POP3

 

Hate to resurrect this thread, but I ran into a similar issue. I had followed the equivalent tutorial for Ubuntu 10.04

http://www.howtoforge.com/perfect-server-ubuntu-10.04-lucid-lynx-ispconfig-3

from page 3 onward only (because my VPS was already provisioned with Ubuntu 10.04). STARTTLS was working "out-of-the-box", but SSL/TLS was not.

I chose to install postfix and dovecot (instead of courier), and wanted to be able to use both STARTTLS and SSL/TLS. (My ISP doesn't permit me to send outgoing mail via my own server over port 25, which is why I wanted to be able to send outgoing mail on another port, e.g., 465.)

If the original user hasn't solved his own problem by now, do you have all of these packages installed? The 10.04 tutorial (and I assume the one you followed for 9.10) doesn't get into SSL/TLS and the SASL modules.

Code:

apt-get install libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql

If so, and you've commented the lines in

Code:

/etc/postfix/master.cf

that till suggested, incoming POP3 email should be fetched on port 995, and outgoing SMTP email should be sent on port 465.

I just tried all of this and it works perfectly well for me on Ubuntu 10.04.