Hi, I have a small test server from The Perfect Server Debian 10 Apache tutorial. I have the following image that shows some problems with the email account, as I don't have much experience I would like to know which ones are necessary to solve. For MTA-STS I have seen the following tutorial, but I'm really not sure how to do it from ISPConfig, especially configure SSLCertificate: mkdir /var/www/mta-sts mkdir /var/www/mta-sts/.well-known nano /var/www/mta-sts/.well-known/mta-sts.txt Expand: mta-sts.txt version: STSv1 mode: testing mx: mail1.your-domain mx: mail2.your-domain max_age: 86401 nano /etc/apache2/sites-available/mta-sts.conf Expand: mta.sts.conf <IfModule mod_ssl.c> <VirtualHost your-server-ipv4-address:443 [your-server-ipv6-address]:443> ServerName mta-sts.your-domain DocumentRoot /var/www/mta-sts ErrorDocument 403 "403 Forbidden - This site is used to specify the MTA-STS policy for this domain, please see '/.well-known/mta-sts.txt'. If you were not expecting to see this, please use <a href=\"https://your-domain\" rel=\"noopener\">https://your-domain</a> instead." RewriteEngine On RewriteOptions IgnoreInherit RewriteRule !^/.well-known/mta-sts.txt - [L,R=403] SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> a2enmod rewrite ssl a2ensite mta-sts apachectl configtest service apache2 restart certbot --apache -d mta-sts.your-domain curl https://mta-sts.your-domain/.well-known/mta-sts.txt Expand: DNS Recors TXT records: _mta-sts.your-domain IN TXT "v=STSv1; id=id-value" _smtp._tls.your-domain IN TXT "v=TLSRPTv1; rua=reporting-address" --------------------------------------------------------------------------------------------------------------------------- How to add MTA-STS with ISPConfig, especially the part of the SSLCertificateFile? Thank you
Your screenshot does not show any problem except that you might want to add the ca certificate in postfix, but that's not mta-sts related. Mta-sts is an optional and not required email extension. If you don't have much experience with Linux administration then I highly recommend staying with the setup that is provided by the perfect server guide. I've seen too many newbies here that wanted to have the best and shiniest hardened system with all kinds of fancy new technologies that simply ruined their setup so that nothing worked at the end.
Thanks for taking the time to answer. Now I understand that MTA-STS is not necessary and that it is very difficult to avoid falling into the spam folder. About CA certificate, the folder /usr/local/share/ca-certificates/ is empty. Should I copy a certificate from /usr/local/ispconfig/interface/ssl/ or should I create a new one? Thank you
For MTA-STS with ISPconfig: Create a website mta-sts.domain.com (needs working (trusted) SSL, but no need for PHP/CGI/Python/etc..) For all Domains you are using to send mails (ISPC -> Mail -> Domain), create a web alias from mta-sts.maildomain.com to mta-sts.domain.com in ispconfig -> Sites -> Aliasdomain for website Create the folder /var/www/mta-sts.domain.com/web/.well-known/ and place a file "mta-sts.txt" in it with: Code: version: STSv1 mode: testing max_age: 86400 mx: mail.domain.com Make sure the MX part matches your DNS MX entry! "Mode" should be "testing" for the beginning, if it works you can switch to "enforce". If you change that later, don't forget to adjust the ID in the DNS entry created in Step 4 Create a DNS entry "_mta-sts.domain.com." as "txt" record and value: "v=STSv1; id=202002181516001" The id is arbitrary, you can choose anything. It is used for caching. If you change the ID means you have updated your policy (for example, switching from testing to enforce). I use the timestamp when I did the last changes For every mail domain create a "CNAME" from "_mta-sts.maildomain.com." to "_mta-sts.domain.com." (if you do not already have a wildcard entry) Wait some time to propagate the information and test CA stands for "Certificate Authority" and are not your certificates, you cannot create them. You have to install them (most certainly, they are already): See if you have the file /etc/ssl/certs/ca-certificates.crt, if not install "ca-certificates" package via apt. Then set in Postfix: Code: smtp_tls_CAfile = $smtpd_tls_CAfile smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
@Steini86 just to be completely clear, for this is an ALIAS dns record and not an email domain alias?
Sorry to be unclear, I will edit it to be more specific. This is a web alias. In ispconfig -> Sites -> Aliasdomain for website. If an email is being sent to somedomain.com and the corresponding TXT record in DNS exists, the server is opening https://mta-sts.somedomain.com/.well-known/mta-sts.txt to get the mx information. Now you can either create that file for each domain, or you make one web and use the alias domain. There are other options, for example to place that in the webserver configuration, but this is then webserver dependent (apache/nginx) and in this simple guide I wanted to be as generic and simple as possible. If you have many mail domains, it might be easier to use a generic webserver config. For example for apache, a config like Code: <VirtualHost *:80> ServerName mta-sts.maildomain.com ServerAlias mta-sts.* # all other stuff </VirtualHost> should work and serve mta-sts subdomin on all hosts. However, have never tried it. But this would be the route to go for a lot of domains or a general solution
Thank you very much for the help That's right, I have the /etc/ssl/certs/ca-certificates.crt The lines: Code: smtp_tls_CAfile = $smtpd_tls_CAfile smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt I have added them to the nano /etc/postfix/main.cf file, but the test shows the same. main.cf Is the file correct or am I wrong? -------------------------------------------------- -------------------------------------------------- --- In mta-sts if I access https://mta-sts.mydomain.com/.well-known/mta-sts.txt the text of the file is displayed. I have done what you indicate, it has more than 24 hours but the error is still shown in the test, I will wait another 24 hours. Greetings.
Yes, restart postfix With "postconf -n" the lines are shown, they are in the list. For reference, the tutorial I have used is The Perfect Server Debian 10 apache, I did not make any particular changes. Expand: postconf -n alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes compatibility_level = 2 content_filter = amavis:[127.0.0.1]:10024 dovecot_destination_recipient_limit = 1 greylisting = check_policy_service inet:127.0.0.1:10023 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = mail.DOMAIN.com, localhost, localhost.localdomain myhostname = mail.DOMAIN.com mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_d omains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf relayhost = sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtp_tls_CAfile = $smtpd_tls_CAfile smtp_tls_exclude_ciphers = RC4, aNULL smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_hel o_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virt ual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_restriction_classes = greylisting smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_s ender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_exclude_ciphers = RC4, aNULL smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf Thanks.
smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key And these two files link to your letsencrypt certificate? Then the test should work. Have you redone it? Sometimes, they cache the results and show an old test
The certificates are those created with the tutorial: https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/ I think they are created after installing ISPConfig as the smtpd.key? Expand: openssl s_client -connect mail.DOMAIN.com:465 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2373 bytes and written 390 bytes Verification error: self signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self signed certificate) --- Thanks
Yes, then you have a self-signed certificate, which is the source of the error. You should exchange this with a letsencrypt certificate. https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ If you have a webdomain mail.domain.com which already has a letsencrypt certificate, it can be easily done via: Code: cd /etc/postfix/ mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak ln -s /etc/letsencrypt/live/mail.domain.com/fullchain.pem smtpd.cert ln -s /etc/letsencrypt/live/mail.domain.com/privkey.pem smtpd.key service postfix restart Verify, that in dovecot you have the same settings for the certificate: Code: ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key
Yes, that should work fine, that's how our autodiscover setup works, a vhost for autoconfig.domain.tld with alias autodiscover.domain.tld, then apache config snippet of: Code: ServerAlias autoconfig.* ServerAlias autodiscover.*
Thanks to your help CA finally works. I had no idea that it was necessary to add the server name as a web to ISPConfig MTA-STS is still not working, but I will wait a little longer for propagation. https://mecsa.jrc.ec.europa.eu/en/ Greetings and thanks
Glad to hear its working! It is not necessary, it just makes it easier. The webdomain is used to create and renew the LetsEncrypt certificate via ispc. If you get the certificate with a different method, there is no need for the web. However, I just use that web for my webmail application.
Just to add here; the /.well-known/ web-folder gives a 403 because nginx_vhost.conf.master has a deny all starting with a dot entry; Code: location ~ /\. { deny all; } I think that should be replaced with: Code: ## 403 for .htaccess and other hidden files, except ".well-known" location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; }