In your current setup of the basic mailserver all communication between your server and the end users mail client is unencrypted and there is the possibility that usernames and passwords can be picked up on the internet. This can be prevented by using TLS/SSL encrypted connections which will encrypt all the traffic between the client and the server which in turn means that snooping of password information is history.

First you need to buy yourself a SSL certificate at Thawte or Verisign, but as we are building a server on the cheap we are going to create our own certificate. The only problem you will encounter when using your own certificates is that users explicitly have to accept and verify your root certificate in contrast with certificates you buy which are already accepted in most email clients by default. If they for instance try to send their email for the first time via your secure server they need to accept your certificate. When using Mail.app in OS X they will get the following warning:

Unable to verify certificate

They need to press continue and from then on your certificate will be accepted and they won’t be asked again.

Just open a Terminal and execute the following command in the directory ‘/etc/postfix‘:

sudo openssl req -new -outform PEM -out smtpd.cert \
    -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
    -days 365 -x509

This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. If you are paranoid and want a bigger key just increase the number after rsa:. The key will be valid for a year, if you want a longer period just increase the number after the -days option. When the key is finished you will be asked a couple of questions you need to answer. The information will be shown to people who want to see your certificate when their mail client complains. The most important one is the ‘Common Name’, make sure that that one is the same as the mail server name.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:your.mailserver.tld
Email Address []:you@yourdomain.tld

 

Configuring Postfix

Now you can configure Postfix to make use of it and to enforce the usage of TLS to securely communicate with the email client. You’ll have to add the following lines to the configuration file ‘main.cf‘ in ‘/etc/postfix‘:

smtpd_enforce_tls = no
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/postfix/smtpd.cert

Issue the command ‘sudo postfix reload‘ to refresh the configuration of your mail server and your ready to test it out. Start a terminal session and issue the following commands:

telnet your.mailserver.tld 25

The server will answer with:

Trying your.mailserver.tld…
Connected to your.mailserver.tld.
Escape character is ^]
220 your.mailserver.tld ESMTP Postfix

Then type in:

EHLO your.mailserver.tld

And again your server will answer it’s capabilities:

250-your.mailserver.tld
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250 8BITMIME

Now it’s time to test TLS and enter in capitals:

STARTTLS

and the server should respond with:

220 Ready to start TLS

Then you know it will work, you could give your favourite email client a try.

 

Configuring Courier IMAP

First you need to setup a configuration file which will look like the questions you were asked when generating an SSL certificate with the ‘openssl‘ command for Postfix. It is located in the directory ‘/usr/local/etc‘ and its called ‘imapd.cnf‘. Make it look like:


RANDFILE = /usr/local/share/imapd.rand
 
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
 
[ req_dn ]
C=Your Country
ST=State or Province
L=City
O=Courier Mail Server
OU=Automatically-generated IMAP SSL key
CN=your.mailserver.tld
emailAddress=you@yourdomain.tld
 
[ cert_type ]
nsCertType = server

You must change the common name (CN) to that of the fully qualified hostname assigned to the IP address Courier IMAP will be listening on, or you will receive a certificate mismatch error when connecting with an IMAP and SSL compatible mail client. The remaining fields, Country (C), State (ST), Location (L), Organization (O), Organizational Unit (OU), and emailAddress are self explanatory and need not be specific values.

When you are happy with the values you have chosen, go to the directory ‘/usr/local/share‘ run ‘sudo mkimapdcert‘ to generate a new certificate. Make sure you remove the existing ‘imapd.pem‘ first, or no new certificate will be created.

You will notice that the generated certificate will expire in one year. If you need more time, you can modify ‘mkimapdcert‘ directly, as it is just a shell script. You can increase the number of days to a value you find more reasonable.

Next the configuration file of the Courier IMAP daemon, it is located in the directory ‘/usr/local/etc‘ and is called ‘imapd-ssl‘. Note: there is a difference with the normal IMAP configuration file ‘imapd ‘, both are different and are used by two different programs. Edit the ‘imapd-ssl‘ file so that the options look like the list below:

SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/var/run/imapd-ssl.pid
SSLLOGGEROPTS=”-name=imapd-ssl”
IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/local/bin/couriertls
TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CERTFILE=/usr/local/share/imapd.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/usr/local/var/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=/usr/local/virtual

Please don’t forget to change the startup script you created earlier. Change the imap startup script with the ssl script, so that is /usr/local/libexec/imapd-ssl.rc instead of the normal /usr/local/libexec/imapd.rc

Next step: Installing Roundcube for webmail