This stack is part of a larger project that I created nearly ten years ago. I am on the fourth rewrite of this for some internal email. We are in the process of migrating from Cyrus and Squirrelmail to Dovecot and RoundCube. These are my notes from that build process.
Stack:
Postfix
Dovecot
Apache
RoundCube
Maria DB
We run an ASA at the Circus, so we turn off the firewalls internally.
systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. systemctl stop firewalld
Enable optional packages for RHEL.
subscription-manager repos --enable=rhel-7-server-optional-rpms yum update
Install and start Maria DB.
yum install mariadb mariadb-server systemctl enable mariadb systemctl start mariadb mysql_secure_installation
Apache install and start.
yum install httpd httpd-devel php mod_ssl systemctl enable httpd systemctl start httpd
Dovecot install and start.
yum install dovecot dovecot-mysql systemctl enable dovecot systemctl start dovecot
First we have to extract the private key from the .pfx file for use with Postfix, Apache and Dovecot. I am using an IIS key from GoDaddy to start.
Split out the private key.
openssl pkcs12 -in CircusStar.pfx -nocerts -out circusprivate-withpassword.pem
Split out the public key.
openssl pkcs12 -in CircusStar.pfx -clcerts -nokeys -out circuspublic.pem
Split out the private key without password.
openssl rsa -in circusprivate-withpassword.pem -out circusprivate-wopassword.pem
These keys will be put in the following locations for each application.
Apache
SSLCertificateFile “/etc/ssl/certs/circuspublic.pem”
SSLCertificateKeyFile “/etc/ssl/certs/circusprivate-wopassword.pem”
Postfix
SSLCertificateFile “/etc/ssl/certs/circuspublic.pem”
SSLCertificateKeyFile “/etc/ssl/certs/circusprivate-wopassword.pem”
DoveCot
ssl_cert = </etc/ssl/certs/circuspublic.pem
ssl_key = </etc/ssl/certs/circusprivate-wopassword.pem
Start on the Maria installation.
mysql_secure_installation
Now add a database, tables and users.
cat mariadb.create.virtual.tables CREATE DATABASE /*!32312 IF NOT EXISTS*/ `mailserver` /*!40100 DEFAULT CHARACTER SET latin1 */; USE `mailserver`; CREATE USER 'mailuser'@'127.0.0.1' IDENTIFIED BY 'CHANGEME'; GRANT ALL PRIVILEGES ON mailserver.* TO 'mailuser'@'127.0.0.1'; CREATE TABLE `virtual_domains` ( `id` int(11) NOT NULL auto_increment, `name` varchar(50) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `virtual_users` ( `id` int(11) NOT NULL auto_increment, `domain_id` int(11) NOT NULL, `password` varchar(106) NOT NULL, `email` varchar(100) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `virtual_aliases` ( `id` int(11) NOT NULL auto_increment, `domain_id` int(11) NOT NULL, `source` varchar(100) NOT NULL, `destination` varchar(100) NOT NULL, PRIMARY KEY (`id`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8; INSERT INTO `mailserver`.`virtual_domains` (`id` ,`name`) VALUES ('1', 'securemail.chainringcircus.org'), ('2', 'securemail4.chainringcircus.org'); INSERT INTO `mailserver`.`virtual_users` (`id`, `domain_id`, `password` , `email`) VALUES ('1', '1', ENCRYPT('CHANGEME', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'judson.bishop.gmail.com@securemail.chainringcircus.org'), ('1', '1', ENCRYPT('CHANGEME', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'test.em@securemail4.chainringcircus.org'); CREATE DATABASE roundcubemail; GRANT ALL PRIVILEGES ON roundcubemail.* TO mail@localhost IDENTIFIED BY 'CHANGEME'; FLUSH PRIVILEGES;
Check to make sure everything worked.
mysql -u root -p mailserver Enter password: MariaDB [mailserver]> select * from virtual_domains; +----+---------------------------------+ | id | name | +----+---------------------------------+ | 1 | securemail.chainringcircus.org | | 2 | securemail4.chainringcircus.org | +----+---------------------------------+ 2 rows in set (0.01 sec)
And check the users.
MariaDB [mailserver]> select * from virtual_users;
The password is going to be a long jumble that doesn't translate well to a blog. This query will omit the password field.
MariaDB [mailserver]> select id, domain_id, email from virtual_users; +----+-----------+--------------------------------------------------------+ | id | domain_id | email | +----+-----------+--------------------------------------------------------+ | 1 | 1 | judson.bishop.gmail.com@securemail.chainringcircus.org | | 2 | 2 | test.me@securemail4.chainringcircus.org | +----+-----------+--------------------------------------------------------+
Make the directories for the two domains.
mkdir -p /var/mail/vhosts/securemail.chaincircus.org mkdir -p /var/mail/vhosts/securemail4.chaincircus.org
Postfix is next in the stack. Here is the /etc/postfix/main.cf file.
cat /etc/postfix/main.cf | egrep -v "#|^$" queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix myhostname = securemail4.chainringcircus.org inet_interfaces = all inet_protocols = all mydestination = unknown_local_recipient_reject_code = 550 mynetworks = 192.168.10.0/24 relayhost = [192.168.10.193] alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases home_mailbox = Maildir/ debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man smtp_sasl_type = dovecot smtp_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = helpful_warnings = yes transport_maps = hash:/etc/postfix/transport helpful_warnings = yes default_destination_concurrency_limit = 3 message_size_limit = 20480000 smtpd_tls_cert_file = /etc/ssl/certs/circuspublic.pem smtpd_tls_key_file = /etc/ssl/certs/circusprivate-wopassword.pem smtpd_use_tls = yes smtp_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf, mysql:/etc/postfix/mysql-virtual-email2email.cf virtual_mailbox_base = /var/mail/vhosts
This is how to enable TLS on Postfix.
smtpd_tls_cert_file = /etc/ssl/certs/circuspublic.pem smtpd_tls_key_file = /etc/ssl/certs/circusprivate-wopassword.pem smtpd_use_tls = yes smtp_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Set up the /etc/postfix/master.cf file. Make sure you have smtps and Dovecot set up.
smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o milter_macro_daemon_name=ORIGINATING
Further down add Dovecot.
# DOVECOT
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
After restarting, test that we have TLS in the preamble.
telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 securemail4.chainringcircus.org ESMTP Postfix ehlo test.org 250-securemail4.chainringcircus.org 250-PIPELINING 250-SIZE 20480000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Check if Postfix is listening on 465.
ss -tnpl | grep 465
LISTEN 0 100 *:465 *:* users:(("master",pid=17282,fd=22))
LISTEN 0 100 :::465 :::* users:(("master",pid=17282,fd=23))
Now test port 465.
openssl s_client -connect 127.0.0.1:465
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = *.chainringcircus.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = *.chainringcircus.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = *.chainringcircus.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.chainringcircus.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGjCCBAKgAwIBAgIJAIxTKDDCrcdfMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE1MDgyNDE0NDIzOVoX
DTE4MDkwNzE0NTQzOVowODEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRMwEQYDVQQDDAoqLmVhbWMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAkkXlK1db90Sb9A6mtUoGmeog06Sy8HjqVjVnAWw/KWFMjWAKyOHX
yvxtLqQWGPZ6i6Px+bZ2PK1qKalt/5bWHv7RQv53mWS+oktUcP/LC4tX39G5C9/N
KBfZUf5/sKcI7urXbAqwW5h3R50GahymBYJ2TXYN1Os6+otSzCQ9PrXKy9HN4Nqg
HCmavGDwxGi6dB9j606Xrf0lk7ZrMSSNPQFQdgKG1JGJplFt04FsfVnRsmDo+17G
i5ecT2H5mNMFX1Im0b8A/b81EUO5RXnrzuKBIdyvCBnwynPsE61zimGSAa6StZbC
AOZHtWocH/LKsGXHmeFrEtTc3CNkqThgLwIDAQABo4IBqDCCAaQwDAYDVR0TAQH/
BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Rp
ZzJzMS0xMTIuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEF
BQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5
LzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFk
ZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5
LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCi
M9f7bLPwtCyAzjAfBgNVHREEGDAWggoqLmVhbWMub3JngghlYW1jLm9yZzAdBgNV
HQ4EFgQUIY0IX76FbTAW+vVmjvDyLIu3alMwDQYJKoZIhvcNAQELBQADggEBAAaY
t2a10js8OvkVjULDlQH4JGHj+6gf8yu+FfSH1dTVWxzqhLr8jPJGPG6Ib81fParj
nKh9lVDbuaKELerSt+i7v9E7YAjPc23gx8oAv0vOg9OjutKWbDMrkdSCN9NEdSzU
HB0G4145HmT6Ca/YO9PFwF5VC7WYlJu3wxoW3K/b1LMVs7xN3Hn2MqKc5KsDTkKD
+e2wN2eFP1uDetZC46Bc9lqEOaV00Ti0MjMlmBMnqX2JbDp09IVB6Gd/bIR7YhHA
lOTQYw/NZBf2AOOKpryBly+otv8mK3eHjhKdenT8O88xZpypYvIPhUSDx3SCy0Qb
n6/B2kZI6ZtQlBZqnBY=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.chainringcircus.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1969 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: DD3ABB7ABA5E19C9381B356E8E2745ECA9C1E86D59AE46D98F3683707F468B43
Session-ID-ctx:
Master-Key: 66F6CBBAE1093686C47C222D9DFFD5D14A8ECC749F61947A7E36FB65B59941A424C48CF23ED93EC19AB492C20D2FF1E7
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 1b f3 d3 ab 24 9a 4e 81-16 3b ef 64 93 e1 50 7d ....$.N..;.d..P}
0010 - db 51 bf ef 14 ee 3c 59-0f a3 2c 4c 4a 41 5b 58 .Q....<Y..,LJA[X
0020 - 37 d8 ab 7e 43 64 3c 54-31 fb 27 07 16 b5 78 0a 7..~Cd<T1.'...x.
0030 - 70 ed 90 34 b2 7f 4a 76-8c 43 ea 54 a0 d0 e6 5d p..4..Jv.C.T...]
0040 - 51 c7 e3 3c f9 be ef d6-61 e6 23 31 61 f8 c3 14 Q..<....a.#1a...
0050 - fe 8d 25 04 03 b0 1d 31-11 aa 35 a3 3a 1b 64 d2 ..%....1..5.:.d.
0060 - 97 32 50 68 c5 77 ac 67-6f 4b 7a 8d be 03 0c 39 .2Ph.w.goKz....9
0070 - 9f b1 1d 46 70 f0 36 4f-55 b8 48 9b 36 ff 92 b6 ...Fp.6OU.H.6...
0080 - e0 64 81 92 55 46 db 76-60 f3 55 6a 30 79 a5 89 .d..UF.v`.Uj0y..
0090 - 3b af 02 9c 7b 2e 12 1e-45 eb 2c 9a fa 62 bb a2 ;...{...E.,..b..
Start Time: 1489503195
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220 securemail.chainringcircus.org ESMTP Postfix
Now test the SQL integration with Postfix.
postmap -q securemail.chainringcircus.org mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf 1 postmap -q securemail.chainringcircus.org mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf 1 postmap -q test.me@securemail.chainringcircus.org mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf 1 postmap -q judson.bishop.gmail.com@securemail.chainringcircus.org mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf 1
Dovecot Configuration
Add the vmail user.
groupadd -g 5000 vmail useradd -g vmail -u 5000 vmail -d /var/mail
Change ownership.
chown -R vmail:vmail /var/mail/ chown -R vmail:dovecot /etc/dovecot Configure the file /etc/dovecot/dovecot.conf. cat dovecot.conf | egrep -v "#|^$" protocols = imap pop3 lmtp !include conf.d/10-auth.conf !include conf.d/10-ssl.conf !include conf.d/10-logging.conf !include conf.d/10-mail.conf !include conf.d/10-master.conf
This leads to a chain of includes, the first of which is /etc/dovecot/conf.d/10-auth.conf.
cat /etc/dovecot/conf.d/10-auth.conf | egrep -v "#|^$" disable_plaintext_auth = yes auth_mechanisms = plain login !include auth-sql.conf.ext
The end of this include is /etc/dovecot/conf.d/auth-sql.conf.ext. This sets up the MySQL configuration.
cat conf.d/auth-sql.conf.ext | egrep -v "#|^$"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
And finally the arguments for the MySQL query.
cat dovecot-sql.conf.ext | egrep -v "#|^$" driver = mysql connect = host=127.0.0.1 dbname=mailserver user=mailuser password=CHANGEME default_pass_scheme = SHA512-CRYPT password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
The file /etc/dovecot/conf.d/10-ssl.conf.
cat /etc/dovecot/conf.d/10-ssl.conf | egrep -v "#|^$" ssl_cert = </etc/ssl/certs/circuspublic.pem ssl_key = </etc/ssl/certs/circusprivate-wopassword.pem
In order to figure everything out, I used this file quite a bit. If needed, just read the comments.
cat /etc/dovecot/conf.d/10-logging.conf | egrep -v "#|^$" log_path = syslog
This is important as it has to match your setup for Postfix.
# cat /etc/dovecot/conf.d/10-mail.conf | egrep -v "#|^$"
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_home = /var/mail/vhosts/%d/%n
namespace inbox {
inbox = yes
}
mail_privileged_group = mail
first_valid_uid = 1000
mbox_write_locks = fcntl
Finally this controls what services are started.
cat /etc/dovecot/conf.d/10-master.conf | egrep -v "#|^$"
service imap-login {
inet_listener imap {
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = dovecot
}
service auth-worker {
}
service dict {
unix_listener dict {
}
}
Test that the user works.
doveadm user test.me@securemail4.chainringcircus.org field value uid 5000 gid 5000 home /var/mail/vhosts/securemail4.chainringcircus.org/test.me mail maildir:/var/mail/vhosts/securemail4.chainringcircus.org/test.me Test the install. I am only going to output the certificate once at the bottom, so that you get the idea, otherwise, it's just too much text. openssl s_client -connect 127.0.0.1:imaps telnet 127.0.0.1 imap Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Test that POP3S works.
openssl s_client -connect 127.0.0.1:pop3s
Check IMAPS.
openssl s_client -connect 127.0.0.1:imaps
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = *.chainringcircus.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = *.chainringcircus.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = *.chainringcircus.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.chainringcircus.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGjCCBAKgAwIBAgIJAIxTKDDCrcdfMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE1MDgyNDE0NDIzOVoX
DTE4MDkwNzE0NTQzOVowODEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRMwEQYDVQQDDAoqLmVhbWMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAkkXlK1db90Sb9A6mtUoGmeog06Sy8HjqVjVnAWw/KWFMjWAKyOHX
yvxtLqQWGPZ6i6Px+bZ2PK1qKalt/5bWHv7RQv53mWS+oktUcP/LC4tX39G5C9/N
KBfZUf5/sKcI7urXbAqwW5h3R50GahymBYJ2TXYN1Os6+otSzCQ9PrXKy9HN4Nqg
HCmavGDwxGi6dB9j606Xrf0lk7ZrMSSNPQFQdgKG1JGJplFt04FsfVnRsmDo+17G
i5ecT2H5mNMFX1Im0b8A/b81EUO5RXnrzuKBIdyvCBnwynPsE61zimGSAa6StZbC
AOZHtWocH/LKsGXHmeFrEtTc3CNkqThgLwIDAQABo4IBqDCCAaQwDAYDVR0TAQH/
BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Rp
ZzJzMS0xMTIuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEF
BQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5
LzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFk
ZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5
LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCi
M9f7bLPwtCyAzjAfBgNVHREEGDAWggoqLmVhbWMub3JngghlYW1jLm9yZzAdBgNV
HQ4EFgQUIY0IX76FbTAW+vVmjvDyLIu3alMwDQYJKoZIhvcNAQELBQADggEBAAaY
t2a10js8OvkVjULDlQH4JGHj+6gf8yu+FfSH1dTVWxzqhLr8jPJGPG6Ib81fParj
nKh9lVDbuaKELerSt+i7v9E7YAjPc23gx8oAv0vOg9OjutKWbDMrkdSCN9NEdSzU
HB0G4145HmT6Ca/YO9PFwF5VC7WYlJu3wxoW3K/b1LMVs7xN3Hn2MqKc5KsDTkKD
+e2wN2eFP1uDetZC46Bc9lqEOaV00Ti0MjMlmBMnqX2JbDp09IVB6Gd/bIR7YhHA
lOTQYw/NZBf2AOOKpryBly+otv8mK3eHjhKdenT8O88xZpypYvIPhUSDx3SCy0Qb
n6/B2kZI6ZtQlBZqnBY=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.chainringcircus.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 2001 bytes and written 405 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A75756A316C964086D57EC8F3858BF4280CDDBB20426F1B0FCEDEDEDD14F8F62
Session-ID-ctx:
Master-Key: 4D2C108B898241C2F6D740946FDFF7F20397B852750B5C8999441B0A967537431D2C6465FA628944FACA504A173F45A2
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - f7 de 20 41 d4 27 18 1c-99 a6 4e e6 e9 5c 92 cf .. A.'....N..\..
0010 - bb 00 40 23 04 fd 38 74-93 64 17 d2 9d e8 7d 9c ..@#..8t.d....}.
0020 - d2 7c 70 26 59 2e bf ec-44 30 c3 de 67 95 d2 c4 .|p&Y...D0..g...
0030 - 50 58 49 e7 55 4b 1f de-1a 97 1d 10 bb a3 f4 ad PXI.UK..........
0040 - 15 8b ef cd 2f c7 3a 47-e9 a0 45 66 1a 60 54 e7 ..../.:G..Ef.`T.
0050 - 7f 92 1a 47 53 0b 39 b2-6e fb cb 78 ab 98 be dd ...GS.9.n..x....
0060 - 01 c9 a1 04 fd 8d b7 98-ae 1b a8 c2 1e b1 46 cc ..............F.
0070 - e7 dc de 8f 1f e8 1a 73-8f a2 70 39 6a c6 f5 03 .......s..p9j...
0080 - a7 a8 99 8b 9e c2 81 3a-83 25 12 33 5e 0d ff 38 .......:.%.3^..8
0090 - ba 5b 8a d2 13 80 17 4b-5d b2 c1 52 32 66 2f 41 .[.....K]..R2f/A
Start Time: 1488919043
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
This bit me and took me a couple of hours to find it. Go ahead and check this.
postconf | grep dovecot-lmtp
virtual_transport = lmtp:unix:private/dovecot-lmtp
doveconf | grep dovecot-lmtp
unix_listener /var/spool/postfix/private/dovecot-lmtp {
At this point I installed Thunderbird and tested sending and receiving email.
Enable SSL for Apache.
First go through and remove all of the Listen directives in the Apache configuration files. If you don't it will come back to bite you.
grep -ir Listen /etc/httpd /etc/httpd/conf/httpd.conf:# Listen: Allows you to bind Apache to specific IP addresses and/or /etc/httpd/conf/httpd.conf:# Change this to Listen on specific IP addresses as shown below to /etc/httpd/conf/httpd.conf:#Listen 12.34.56.78:80 /etc/httpd/conf/httpd.conf:#Listen 80 /etc/httpd/conf.d/securemail.conf:Listen 192.168.1.1:443 /etc/httpd/conf.d/ssl.conf:# When we also provide SSL we have to listen to the /etc/httpd/conf.d/ssl.conf:#Listen 12.34.56.78:443 https
The only thing I changed in the main httpd.conf is I commented out the Listen directives for port 80 and changed the DocumentRoot, however, we just want to make sure that we have Apache up and running with SSL. We will get to that in the RoundCube later. From /etc/httpd/httpd.conf.
DocumentRoot "/var/www/html/roundcubemail-1.2.3" #Listen 12.34.56.78:80 #Listen 80
Next I commented out all the SSL certificate stuff in /etc/httpd/conf.d/ssl.conf.
cat ssl.conf | grep SSLC # Use "SSLCryptoDevice" to enable any supported hardware SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Set up the securemail virtual host with SSL certificates you created for Dovecot.
cat /etc/httpd/conf.d/securemail.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 172.22.226.218:443
<VirtualHost *:443>
ServerName securemail4.chainringcircus.org
SSLEngine on
SSLCertificateFile "/etc/ssl/certs/circuspublic.pem"
SSLCertificateKeyFile "/etc/ssl/certs/circusprivate-wopassword.pem"
</VirtualHost>
Restart Apache
systemctl restart httpd
Browse to the web server, https://securemail.chainringcircus.org.
Install RoundCube.
First set the timezone for PHP in /etc/php.ini, the list is here.
date.timezone = America/Chicago
Create the database for RoundCube.
mysql -u root -p <mariadb.create.roundcube Enter password: cat mariadb.create.roundcube CREATE DATABASE roundcubemail; GRANT ALL PRIVILEGES ON roundcubemail.* TO mail@localhost IDENTIFIED BY 'CHANGEME'; FLUSH PRIVILEGES;
Start the RoundCube install.
mv roundcubemail-1.2.3-complete.tar.gz /var/www/html/ cd /var/www/html/ tar -xvzf roundcubemail-1.2.3-complete.tar.gz
Browse to the configuration web site.
https://securemail.chainringcircus.org/roundcubemail-1.2.3/installer/
In order to clean up a number of missing modules and extensions. If you do not have all of these RPMs, please see one of the first steps above to enable optional packages for RHEL.
yum install -y php-xml php-mysql php-pdo php-mbstring php-intl php-ldap systemctl restart httpd
SecureMail
Edit the file /etc/postfix/master.cf
filter unix - n n - 10 pipe
flags=Rq user=filter argv=/usr/local/bin/secure-parse.multiple -f ${sender} -- ${recipient}
Sources.
http://linux.m2osw.com/setting-postfixcourier-godaddy-ssl-certificate
https://www.godaddy.com/help/apache-install-a-certificate-centos-5238
https://www.rosehosting.com/blog/set-up-ssl-encrypted-connection-in-postfix-dovecot-and-apache/
https://github.com/roundcube/roundcubemail/wiki/Installation
http://www.tecmint.com/create-apache-https-self-signed-certificate-using-nss/
http://www.tecmint.com/setup-postfix-mail-server-and-dovecot-with-mariadb-in-centos/
http://www.tecmint.com/install-and-configure-roundcube-webmail-for-postfix-mail-server/
http://wiki.dovecot.org/TestInstallation
https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mariadb-on-centos-7
http://www.tecmint.com/setup-postfix-mail-server-and-dovecot-with-mariadb-in-centos/
https://debian-administration.org/article/275/Setting_up_an_IMAP_server_with_dovecot
http://www.postfix.org/TLS_README.html
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql