Secure IMAP, POP and SMTP with SASL AUTH
Posted: Sun Jul 15, 2007 5:15 pm
I am running Scalix 11.1 on SUSE Linux Enterprise Server 10 SP1 i568 running in a XEN domU on a SLES 10 SP1 x86_64 box.
I search many time to find the answers on secure connections from Evolution to the Scalix server but could not really find one.
So here are my steps, there is probably a better way but this works and it is easy.
Backup your /etc/sysconfig/, /etc/sendmail, /etc/mail/ files and directories.
To get secure IMAP and/or POP3 was easy. Install stunnel and run
/usr/bin/openssl req -new -x509 -days 365 -nodes -config /usr/share/doc/packages/stunnel/stunnel.cnf -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
This will build a simple certificate to use.
You need to edit the /etc/stunnel/stunnel.conf file to look something like this
#
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[ssmtp]
accept = 465
connect = 25
#
Then you need to make sure stunnel starts with the server after a reboot.
chkconfig stunnel on
Now for secure SMTP to work I had to edit several files to include SASL AUTH support.
This are the following steps.
*Create Certs: to configure CAcerts in /etc/mail/certs
First do this:
openssl genrsa -des3 -rand /etc/hosts -out MYServer.key.pem.encrypted 1024
passphrase (some phrase you can remember typed here)
chmod 600 MYServer.key.pem.encrypted
openssl req -new -key MYServer.key.pem.encrypted -out MYServer.cert.req
It will ask for (Each separately(Country,State,City,Company,Username,useremail@xxxxxxxxxxxxxxx)
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out CA.cert.pem -days 3650
(it will ask for your pass phrase here.....)
openssl rsa -in MYServer.key.pem.encrypted -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted MYServer.key.pem
openssl x509 -req -days 3650 -in MYServer.cert.req -signkey MYServer.key.pem.encrypted -out MYServer.cert.pem
chmod 600 *
I needed to add several lines in the sysconfig/sendmail file...search for the following lines since I will not add the commented # info.
vi /etc/sysconfig/sendmail
(Now I had to add a smart mailer)
SENDMAIL_SMARTHOST="smart.host.org"
SMTP_AUTH_MECHANISMS="gssapi,digest-md5,cram-md5,plain,login,otp"
SMTP_AUTH_SERVER="gssapi,digest-md5,cram-md5,plain,login,otp"
STARTTLS="server"
For me I decided it was easier to let SUSE do its thing, then edit after.
So I edited the files to let SuSEconfig configure sendmail for me
vi /etc/sysconfig/mail
# If you don't want to let SuSEconfig generate your configuration file, set this to no
MAIL_CREATE_CONFIG="yes"
Then run SuSEconfig
This will create the /etc/sendmail.cf and the /etc/mail/submit.cf files
When I ran SuSEconfig it created a /etc/sendmail.cf.SuSEconfig and a /etc/mail/submit.cf.SuSEconfig since I edited my files by hand the first time.
I then did a diff on the files to see what had changed
diff submit.cf submit.cf.SuSEconfig
diff sendmail.cf sendmail.cf.SuSEconfig
Once I felt good about the changes I just copied the .SuSEconfig files over the current ones. *remember we backed them up, right ?
For me, I had to doubled check that my smartmail host was there.
so
grep DS /etc/sendmail.cf
grep DS /etc/mail/submit.cf
look for DSsmart.host.org or whatever yours is.
Then restart the services
rcstunnel restart
rcsendmail restart
That is all I did and it works great. Now I just open ports 465, 993 and 995 and 443 on my Astaro firewall and I have secured my Scalix environment.
Hope this helps
I search many time to find the answers on secure connections from Evolution to the Scalix server but could not really find one.
So here are my steps, there is probably a better way but this works and it is easy.
Backup your /etc/sysconfig/, /etc/sendmail, /etc/mail/ files and directories.
To get secure IMAP and/or POP3 was easy. Install stunnel and run
/usr/bin/openssl req -new -x509 -days 365 -nodes -config /usr/share/doc/packages/stunnel/stunnel.cnf -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
This will build a simple certificate to use.
You need to edit the /etc/stunnel/stunnel.conf file to look something like this
#
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[ssmtp]
accept = 465
connect = 25
#
Then you need to make sure stunnel starts with the server after a reboot.
chkconfig stunnel on
Now for secure SMTP to work I had to edit several files to include SASL AUTH support.
This are the following steps.
*Create Certs: to configure CAcerts in /etc/mail/certs
First do this:
openssl genrsa -des3 -rand /etc/hosts -out MYServer.key.pem.encrypted 1024
passphrase (some phrase you can remember typed here)
chmod 600 MYServer.key.pem.encrypted
openssl req -new -key MYServer.key.pem.encrypted -out MYServer.cert.req
It will ask for (Each separately(Country,State,City,Company,Username,useremail@xxxxxxxxxxxxxxx)
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out CA.cert.pem -days 3650
(it will ask for your pass phrase here.....)
openssl rsa -in MYServer.key.pem.encrypted -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted MYServer.key.pem
openssl x509 -req -days 3650 -in MYServer.cert.req -signkey MYServer.key.pem.encrypted -out MYServer.cert.pem
chmod 600 *
I needed to add several lines in the sysconfig/sendmail file...search for the following lines since I will not add the commented # info.
vi /etc/sysconfig/sendmail
(Now I had to add a smart mailer)
SENDMAIL_SMARTHOST="smart.host.org"
SMTP_AUTH_MECHANISMS="gssapi,digest-md5,cram-md5,plain,login,otp"
SMTP_AUTH_SERVER="gssapi,digest-md5,cram-md5,plain,login,otp"
STARTTLS="server"
For me I decided it was easier to let SUSE do its thing, then edit after.
So I edited the files to let SuSEconfig configure sendmail for me
vi /etc/sysconfig/mail
# If you don't want to let SuSEconfig generate your configuration file, set this to no
MAIL_CREATE_CONFIG="yes"
Then run SuSEconfig
This will create the /etc/sendmail.cf and the /etc/mail/submit.cf files
When I ran SuSEconfig it created a /etc/sendmail.cf.SuSEconfig and a /etc/mail/submit.cf.SuSEconfig since I edited my files by hand the first time.
I then did a diff on the files to see what had changed
diff submit.cf submit.cf.SuSEconfig
diff sendmail.cf sendmail.cf.SuSEconfig
Once I felt good about the changes I just copied the .SuSEconfig files over the current ones. *remember we backed them up, right ?
For me, I had to doubled check that my smartmail host was there.
so
grep DS /etc/sendmail.cf
grep DS /etc/mail/submit.cf
look for DSsmart.host.org or whatever yours is.
Then restart the services
rcstunnel restart
rcsendmail restart
That is all I did and it works great. Now I just open ports 465, 993 and 995 and 443 on my Astaro firewall and I have secured my Scalix environment.
Hope this helps