A general overview about TLS/SSL is provided in the "interNet Services User Guide".
As TLS is a term introduced since quite some time and the versions of the SSL/TLS protocol named with 'SSL' are no longer supported, in the interNet Services Guides mostly only TLS instead TLS/SSL is used. Only in option names and the like 'SSL' remains.
On both the IMAP and POP3 servers and also on the Postfix server (SMTP server) the connections can be secured with the aid of TLS. This is particularly important for IMAP and POP3 connections as passwords would otherwise be transferred unencrypted.
X.509 certificates are used in conjunction with TLS. An X.509 certificate contains all the information needed to identify the server or client and also the certificate owner’s public key. Certificates are issued by a central authority, the Certificate Authority (CA), after the identity of the organization named in the certificate and of an authorized representative have been checked. To apply for an X.509 certificate from a CA you require a Certificate Signing Request (CSR) which you can generate with the /etc/imap/MAKE.CERT.sh script. Furthermore, this script generates a test certificate which you can use to perform tests of the TLS functionality in advance. As this test certificate is generated with the aid of a publicly known CA key and consequently offers no effective protection, it may not be used for productive operation.
TLS protection of IMAP and POP3 connections
You store the test certificate and the private key at the appropriate positions for the IMAP server in the directory tree (/etc/imap/certs/in.imapd.pem and /etc/imap/private/in.imapd.pem). You store the certificate of the test CA under /etc/imap/certs/cacert.pem. Explicit configuration settings are not possible with the IMAP and POP3 servers. The CSR can be found under /etc/imap/imapd-csr.pem.
Note that the private key will later also be used together with the official certificate in productive operation. Consequently you must ensure that the private key is always protected against unauthorized access. During installation the access rights for the /etc/imap/private directory are thus restricted to the super user (SYSROOT, TSOS).
During installation, suitable links are automatically created for the POP2 server which refer to the aforementioned certificate and the private key for the IMAP server. This enables the private key and the certificate to be used both by the IMAP and the POP3 server.
As soon as you have received the certificate from an official CA you must store this under /etc/imap/certs/in.imapd.pem, thus overwriting the test certificate which you no longer require.
An excerpt from an /etc/imap/MAKE.CERT.sh run is shown on the next page. User inputs are highlighted with bold print.
|
1. Country Name (2 letter code) [DE]: <
|
2. State or Province Name (full name) [Bavaria]: Bayern<
|
3. Locality Name (eg, city) [Munich]: Muenchen<
|
|
5. Organizational Unit Name (eg, section) [Marketing]: Internet Services<
|
6. Common Name (eg, FQDN) [www.manufacturer.com]: www.fujitsu.com<
|
7. Email Address (eg, name@FQDN) [info@manufacturer.com]: info@fujitsu.com<
|
8. Certificate Validity (days) [365]: 730<
|
Certificate Version (1 or 3) [3]: <
|
9. subjectAltName:dNSName (eg, FQDN) [www.fujitsu.com]: <
|
Generating certificate, please wait...
Done
Subject: C=DE, ST=Bayern, L=Muenchen, O=Fujitsu Technology Solutions GmbH, OU=Internet Services, CN=www.fujitsu.com, emailAddress=info@fujitsu.com
The private key for IMAP has been created as /etc/imap/private/in.imapd.pem.
The certifcate for IMAP has been created as /etc/imap/certs/in.imapd.pem.
The used CA certificate has been saved as /etc/imap/certs/cacert.pem.
For using certificate and key also for POP3 we make appropriate links to the created files:
Creating link /etc/imap/private/in.ipop3d.pem to file /etc/imap/private/in.imapd.pem.
Creating link /etc/imap/certs/in.ipop3d.pem to file /etc/imap/certs/in.imapd.pem.
WARNING: Use this certificate only for testing, not for production!
#
TLS protection of SMTP connections (Postfix)
SMTP connections can only be secured between two adjacent Mail servers (Mail Transfer Agents, MTAs) on the communication path. End-to-end security cannot be guaranteed with TLS. In particular, the e-mails are buffered on the MTAs in unencrypted format. TLS can, however, be used for implementing partially open mail relays. The group of users of a mail relay can be restricted to the authorized persons/servers via TLS authentication. Similarly, in cases where the e-mail is sent directly to the recipient, TLS enables mail encryption to be implemented which is transparent for e-mail senders and recipients.
Unlike mail encryption (S/MIME, PGP), TLS also protects both the e-mail content on the respective transmission path and the meta data. You should therefore always use the TLS protection of the SMTP traffic if possible.
If you use TLS in conjunction with Postfix, you must set the corresponding parameters in the Postfix configuration file /etc/postfix/main.cf. Here you must distinguish between use of TLS for incoming and outgoing connections:
In the case of incoming connections the parameter names begin with the prefix “smtpd_”.
In the case of outgoing connections the parameter names begin with the prefix “smtp_”.
Further information on the TLS parameters available is provided in the /etc/postfix/sample-tls.cf file.
Minimum configuration for TLS protection with incoming SMTP connections
The additional parameters for a minimum configuration for TLS protection of an incoming SMTP connection are shown below. The TLS configuration also uses the IMAP/POP3 certificate as the Postfix server certificate.
smtpd_tls_cert_file = /etc/imap/certs/in.imapd.pem smtpd_tls_key_file = /etc/imap/private/in.imapd.pem smtpd_use_tls = yes
Minimum configuration for TLS protection with outgoing SMTP connections
The additional parameters for a minimum configuration for TLS protection of an outgoing SMTP connection are shown below. The TLS configuration also uses the IMAP/POP3 certificate as the Postfix Client certificate.
smtp_tls_cert_file = /etc/imap/certs/in.imapd.pem smtp_tls_key_file = /etc/imap/private/in.imapd.pem smtp_tls_CAfile = /etc/imap/certs/trusted-certs.pem smtp_use_tls = yes
The /etc/imap/certs/trusted-certs.pem file (the name is freely selectable) must contain certificates of all CAs which are to be trusted. In test operation to a server whose server certificate was generated with the aid of the MAKE.CERT.sh script you must enter the contents of the /etc/imap/certs/cacert.pem file in the /etc/imap/certs/trusted-certs.pem file. After you switch over to productive operation you must replace this test CA certificate by the CA certificate of the CA which issued the productive server certificate.