User Tools

Site Tools


howtos:sasl-dovecot-postfix-ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:sasl-dovecot-postfix-ssl [d/m/Y H:i] (current)
Line 1: Line 1:
 +===== Reason Why =====
  
 +I have for some time wanted to get hold of my private emails through my Nokia E90's embedded email client. I used to use the web interface but that sux on a E90. Instead I wanted to look for a way to use the actual email client on the phone. The email client supports POP3 and IMAP which are fine if you're not traversing a public network (aka The Internet). The two protocols are transmitting username and password in cleartext, and whatever email you read will also be move to the phone in cleartext. I don't want that!! :-)
 +
 +As a happy OpenVPN user I would have loved to see a Symbian client, that would have made it very easy for me, but that doesn'​t exist :-(
 +
 +Luckily the two protocols also has a SSL/TLS wrapped implementation (IMAPS and POP3S) which accomplishes the privacy part of my wishes. The only catch is that this requires certificates. Personally I like certificates very much, they offer a lot of security (correctly implemented of course) and can be used in so many places. This is not shared among many other people though ;-) For that reason I'll try to make it an easy ride as possible.
 +
 +**__Word of caution:__ Don't use this as an enterprise solution, only for your private mail. If you loss your device all material on it will be accessible and in cleartext!!**
 +
 +===== Components used =====
 +
 +I've chosen to use Dovecot as IMAP server and Postfix as my MTA. I'll get back to the Postfix part later.
 +
 +You could choose to use any other IMAP server only the configuration would be different. Dovecot also has a sasl interface which Postfix can utilize making sending mail even easier.
 +
 +===== Certificates =====
 +
 +First lets start out by creating a self-signed certificate for dovecot:
 +
 +<​code>​
 +openssl req -x509 -days 3650 -newkey rsa:1024 -keyout dovecot.key -nodes -out dovecot.crt
 +</​code>​
 +
 +This command creates a self-signed certificate valid for 10 year. The private key (unencrypted) is in the file "​dovecot.key"​ and the certificate is in "​dovecot.crt"​.
 +  ​
 +Now for the certificates for Postfix:
 +<​code>​
 +openssl genrsa 1024 > smtpd.key
 +openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt
 +openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
 +openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt
 +</​code>​
 +
 +This will create a certificate for Postfix and a CA certificate lasting again 10 years.
 +
 +For all the certificates it is vital that the common name (CN) is the name of the server you're connecting to. That is if you use a DNS name that is what you type, if you use an IP address that will be your common name.
 +
 +===== Dovecot =====
 +
 +Now edit dovecot.conf and insert the following to use your newly created certificates:​
 +
 +<​file>​
 +ssl_cert_file = /​etc/​dovecot/​ssl/​dovecot.crt
 +ssl_key_file = /​etc/​dovecot/​ssl/​dovecot.key
 +</​file>​
 +
 +I've found out that my 3G provider doesn'​t allow 993/tcp through so I cannot get access from my phone. You change the port with this setting:
 +
 +<​file>​
 +ssl_listen = *:5011
 +</​file>​
 +
 +As we want to use SASL through Dovecot you need to insert this:
 +
 +<​file>​
 +socket listen {
 +        client {
 +          path = /​var/​spool/​postfix/​private/​auth
 +          mode = 0660
 +          user = postfix
 +          group = postfix
 +        }
 +      }
 +</​file>​
 +
 +This will enable a SASL interface for Postfix. We need SASL to be able to send mail from the phone. We only allow the Postfix user/daemon to access this interface, but if you like you can remove that restriction and allow other programs access. By using Dovecot as authenticator we can reuse our IMAP user credentials.
 +
 +Now just reload Dovecot:
 +<​code>​
 +sudo invoke-rc.d dovecot restart
 +</​code>​
 +
 +===== Postfix =====
 +
 +First we need to TLS enable Postfix. Insert the following in main.cf:
 +
 +<​file>​
 +smtpd_tls_cert_file = /​etc/​postfix/​ssl/​smtpd.crt
 +smtpd_tls_key_file = /​etc/​postfix/​ssl/​smtpd.key
 +smtpd_use_tls=yes
 +smtpd_tls_session_cache_database = btree:​${data_directory}/​smtpd_scache
 +smtp_tls_session_cache_database = btree:​${data_directory}/​smtp_scache
 +</​file>​
 +
 +We want to be able to relay mail external but not become an open relay (oooh no to many of them already!!). The problem is that the phone is not coming from a known network (mynetworks),​ so we have authenticate against Postfix before allowing relaying.
 +
 +This is accomplished by inserting "​permit_sasl_authenticated"​ into "​smtpd_recipient_restrictions":​
 +
 +<​file>​
 +smtpd_recipient_restrictions =
 +    ...
 +    ...
 +    permit_sasl_authenticated
 +    permit_mynetworks
 +    ....
 +</​file>​
 +
 +To finish up the TLS configuration insert these lines:
 +
 +<​file>​
 +smtpd_sasl_local_domain =
 +smtpd_sasl_auth_enable = yes
 +smtpd_sasl_security_options = noanonymous
 +broken_sasl_auth_clients = yes
 +smtp_tls_security_level = may
 +smtpd_tls_security_level = may
 +smtpd_tls_auth_only = yes
 +smtp_tls_note_starttls_offer = yes
 +smtpd_tls_CAfile = /​etc/​postfix/​ssl/​cacert.pem
 +smtpd_tls_loglevel = 1
 +smtpd_tls_received_header = yes
 +smtpd_tls_session_cache_timeout = 3600s
 +tls_random_source = dev:/​dev/​urandom
 +</​file>​
 +
 +And the final part, to get Postfix to look into dovecot as an SASL authenticator:​
 +
 +<​file>​
 +smtpd_sasl_type = dovecot
 +smtpd_sasl_path = private/​auth
 +</​file>​
 +
 +To get it all working bounce Postfix:
 +
 +<​code>​
 +sudo invoke-rc.d postfix restart
 +</​code>​
 +
 +===== Configure the Phone =====
 +
 +Now all you need to do is point the mail client to your mail server with IMAPS (IMAP with SSL/TLS) and login.
 +
 +For outgoing mail you point the phone again to the same server and enable authentication. Login is the same as the incoming mail configuration.
 +
 +The first time you connect the phone complains that the certificate is not trusted. Check the info in the certificate and make sure it corresponds to the info you put in when you created them and accept permanently.  ​
 +
 +Now you should be able to send and receive mail from you phone.
howtos/sasl-dovecot-postfix-ssl.txt · Last modified: d/m/Y H:i (external edit)