I have some issues in my configs to have an full functional mailserver with CRAM-MD5 authentification for only port 993 and 465. Plz help me and others to get an right config file struct for ubuntu servers and for the future if someone are seaching for full configs like that. I have big problems to understand the right combination of the parameters to get the right result. I will update and write the right working config each time you write some useful. Hope that will helps also other, because it's not easy to figure out how to set the right parameters for so much different stuff =(
btw. plz help me to create an relative secure config and tell me if i have to change some chmod or chown security settings
thx and i hope that file will help a lot of users in the future
thats the main problems:
Problem 1: to connect to imaps over outlook and without sending plain passwords
1st: i create an CRAM-MD5 Hash
doveadm pw -s CRAM-MD5
THE SECRET PASSWORD
output: {CRAM-MD5}aaaabbbbcccccddddeeeeffffggggghhhhiiiiijjjjjkkkkklllllmmmmmnnnnn
which i use under: /etc/dovecot/users
2nd: if i connect over openssl s_client -connect localhost:993 it works, but not over outlook and only as plain password
openssl s_client -connect localhost:993
A login office@MY_DOMAIN.COM "THE SECRET PASSWORD"
output: A OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABL ....]
how to solve that without plain passwords over the cfgs and login?
Problem 2: cant connect successfuly over openssl s_client -connect localhost:465
1st:
openssl s_client -connect localhost:465
AUTH CRAM-MD5
output: NEEDED_CHALLANGE_BASE64_HASH_VALUE_FOR_PASSWORD
2nd:
apt install sasl2-bin
gen-auth CRAM-MD5
Username: office@MY_DOMAIN.COM
password: THE SECRET PASSWORD
challange: NEEDED_CHALLANGE_BASE64_HASH_VALUE_FOR_PASSWORD
output: BASE64_HAHS_VALUE_FOR_LOGIN
3rd:
openssl s_client -connect localhost:465
AUTH CRAM-MD5
BASE64_HAHS_VALUE_FOR_LOGIN
output: 535 5.7.8 Error: authentication failed: ...
output-mail.log: warning: localhost[127.0.0.1]: SASL CRAM-MD5 authentication failed: ...
what do i wrong?
Problem 3: openssl s_client -connect localhost:993 errors, which i dont have for port 465 and 443. It's the same apache SSL which i want to use for the mail server. Mailserver == webserver
conclusion:
error 1: Can't use SSL_get_servername
I know. Thats because i am logged in as localhost and not over MY_DOMAIN.COM
error 2: verify error:num=20:unable to get local issuer certificate
also if i try with
openssl s_client -CAfile /var/www/security/SSL/MY_DOMAIN.ca-bundle -crlf -connect localhost:993
output:
verify error:num=2:unable to get issuer certificate
SSL handshake has read 2063 bytes and written 373 bytes
Verification error: unable to get issuer certificate
full but shorted output: openssl s_client -connect localhost:993
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = MY_DOMAIN.COM
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = MY_DOMAIN.COM
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = MY_DOMAIN.COM
verify return:1
---
Certificate chain
0 s:CN = MY_DOMAIN.COM
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 7 00:00:00 2023 GMT; NotAfter: Aug 15 23:59:59 2023 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = MY_DOMAIN.COM
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2063 bytes and written 373 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
...
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
...
Start Time: 1684318538
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
Postfix
Folder: /etc/postfix/
[root:root - rights:655] main.cf
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6
mydomain = MY_DOMAIN.COM
myhostname = web-p3.$mydomain
smtpd_banner = $myhostname ESMTP $mail_name
myorigin = $mydomain
mydestination = $myhostname, mail.$mydomain, web-p3.$mydomain, localhost.$mydomain, localhost
# old settings
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
relayhost =
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Virtual Domain Einstellungen
virtual_mailbox_domains = $mydomain
#virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
#virtual_mailbox_base = /home/vmail
#virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox
#virtual_alias_domains =
#virtual_alias_maps = hash:/etc/postfix/virtual_aliases
virtual_transport = lmtp:unix:private/dovecot-lmtp
# SSL Einstellungen
smtpd_use_tls = yes
smtpd_tls_key_file = /var/www/ssl/MY_DOMAIN.pem
smtpd_tls_cert_file = /var/www/ssl/MY_DOMAIN.crt
smtpd_tls_CAfile = /var/www/ssl/MY_DOMAIN.ca-bundle
smtpd_tls_auth_only = yes
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_sasl_password_maps = static:office@$mydomain:999999999-000000000000-9999999
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
#smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_path = private/auth
#smtpd_sasl_path = smtpd
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
[root:root - rights:644] master.cf
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
[root:root - rights:644] virtual-mailbox
office@MY_DOMAIN.COM MY_DOMAIN.COM/office/Maildir/
Original files! No changes
[root:root - rights:644] main.cf.proto
[root:root - rights:644] master.cf.proto
Dovecot
#Folder: /etc/dovecot/
[root:root - rights:644] dovecot.conf
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap lmtp
listen = *, ::
dict {}
!include conf.d/*.conf
!include_try local.conf
[root:dovecot - rights:640] dovecot-dict-auth.conf.ext
default_pass_scheme = CRAM-MD5
#default_pass_scheme = MD5
iterate_prefix = userdb/
key passdb {
key = passdb/%u
format = json
}
key userdb {
key = userdb/%u
format = json
}
key quota {
key = userdb/%u/quota
default_value = 100M
}
passdb_objects = passdb
userdb_objects = userdb
userdb_fields {
quota_rule = *:storage=%{dict:quota}
mail = maildir:%{dict:userdb.home}/Maildir
}
[root:dovecot - rights:640] dovecot-dict-sql.conf.ext
map {
pattern = priv/quota/storage
table = quota
username_field = username
value_field = bytes
}
map {
pattern = priv/quota/messages
table = quota
username_field = username
value_field = messages
}
map {
pattern = shared/expire/$user/$mailbox
table = expires
value_field = expire_stamp
fields {
username = $user
mailbox = $mailbox
}
}
[root:root - rights:644] users
office@MY_DOMAIN.COM:{CRAM-MD5}aaaabbbbcccccddddeeeeffffggggghhhhiiiiijjjjjkkkkklllllmmmmmnnnnn
[root:dovecot - rights:640] dovecot-sql.conf.ext
# empty
#Folder: /etc/dovecot/conf.d/
[root:root - rights:644] 10-auth.conf
disable_plaintext_auth = yes
auth_username_format = %Lu
auth_master_user_separator = *
auth_mechanisms = cram-md5 plain login
#!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
!include auth-static.conf.ext
[root:root - rights:644] 10-director.conf
service director {
unix_listener login/director {}
fifo_listener login/proxy-notify {}
unix_listener director-userdb {}
inet_listener {}
}
service imap-login {}
service pop3-login {}
service submission-login {}
protocol lmtp {}
[root:root - rights:644] 10-logging.conf
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
plugin {}
[root:root - rights:644] 10-mail.conf
mail_location = maildir:/var/mail/vhosts/%d/%n
namespace inbox {
inbox = yes
}
mail_privileged_group = mail
protocol !indexer-worker {}
mail_uid = vmail
mail_gid = vmail
mbox_write_locks = fcntl
[root:root - rights:644] 10-master.conf
service imap-login {
inet_listener imap {}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {}
inet_listener pop3s {}
}
service submission-login {
inet_listener submission {}
}
service lmtp {
unix_listener lmtp {}
}
service imap {}
service pop3 {}
service submission {}
service auth {
unix_listener auth-userdb {}
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
service auth-worker {}
service dict {
unix_listener dict {}
}
[root:root - rights:644] 10-ssl.conf
ssl = yes
ssl_cert = </var/www/ssl/MY_DOMAIN.crt
ssl_key = </var/www/ssl/MY_DOMAIN.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
[root:root - rights:644] 10-tcpwrapper.conf
#empty
[root:root - rights:644] 15-lda.conf
protocol lda {}
[root:root - rights:644] 15-mailboxes.conf
namespace inbox {
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Trash {
special_use = \Trash
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
}
[root:root - rights:644] 20-imap.conf
protocol imap {}
[root:root - rights:644] 20-lmtp.conf
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
plugin {
sieve = /var/vmail/%d/%n/.sieve
sieve_dir = /var/vmail/%d/%n/sieve
sieve_global_dir = /var/vmail/sieve/global/
}
[root:root - rights:644] 90-acl.conf
plugin {}
plugin {}
[root:root - rights:644] 90-plugin.conf
plugin {}
[root:root - rights:644] 90-quota.conf
plugin {}
plugin {}
plugin {}
plugin {}
[root:root - rights:644] auth-checkpassword.conf.ext
passdb {
driver = checkpassword
args = /usr/bin/checkpassword
}
userdb {
driver = prefetch
}
[root:root - rights:644] auth-deny.conf.ext
passdb {
driver = passwd-file
deny = yes
args = /etc/dovecot/deny-users
}
[root:root - rights:644] auth-dict.conf.ext
passdb {
driver = dict
args = /etc/dovecot/dovecot-dict-auth.conf.ext
}
userdb {
driver = dict
args = /etc/dovecot/dovecot-dict-auth.conf.ext
}
[root:root - rights:644] auth-master.conf.ext
passdb {
driver = passwd-file
master = yes
args = /etc/dovecot/master-users
pass = yes
}
[root:root - rights:644] auth-passwdfile.conf.ext
passdb {
driver = passwd-file
args = scheme=CRAM-MD5 username_format=%u /etc/dovecot/users
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
[root:root - rights:644] auth-sql.conf.ext
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
[root:root - rights:644] auth-static.conf.ext
# empty
[root:root - rights:644] auth-system.conf.ext
userdb {
driver = passwd
}
