Postfix, Dovecot et SSL sur Debian

Par défaut, Postfix, le serveur smtp, n’active pas le SSL et il ne gère pas non plus l’authentification.

ISPConfig active l’authentification via Dovecot lors de l’installation mais n’active pas le SSL. On va changer tout ça .

1) Configuration Postfix

Pour commencer, ouvrez le fichier /etc/postfix/master.cf. Il faut que la partie submission et smtps soit identique à ça

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”%5B…%5D%0Asubmission%20inet%20n%20-%20-%20-%20-%20smtpd%0A%20-o%20syslog_name%3Dpostfix%2Fsubmission%0A%20-o%20smtpd_tls_security_level%3Dencrypt%0A%20-o%20smtpd_sasl_auth_enable%3Dyes%0A%20-o%20smtpd_client_restrictions%3Dpermit_sasl_authenticated%2Creject%0A%23%20-o%20smtpd_reject_unlisted_recipient%3Dno%0A%23%20-o%20smtpd_client_restrictions%3D%24mua_client_restrictions%0A%23%20-o%20smtpd_helo_restrictions%3D%24mua_helo_restrictions%0A%23%20-o%20smtpd_sender_restrictions%3D%24mua_sender_restrictions%0A%23%20-o%20smtpd_recipient_restrictions%3D%0A%23%20-o%20smtpd_relay_restrictions%3Dpermit_sasl_authenticated%2Creject%0A%23%20-o%20milter_macro_daemon_name%3DORIGINATING%0Asmtps%20inet%20n%20-%20-%20-%20-%20smtpd%0A%20-o%20syslog_name%3Dpostfix%2Fsmtps%0A%20-o%20smtpd_tls_wrappermode%3Dyes%0A%20-o%20smtpd_sasl_auth_enable%3Dyes%0A%20-o%20smtpd_client_restrictions%3Dpermit_sasl_authenticated%2Creject%0A%23%20-o%20smtpd_reject_unlisted_recipient%3Dno%0A%23%20-o%20smtpd_client_restrictions%3D%24mua_client_restrictions%0A%23%20-o%20smtpd_helo_restrictions%3D%24mua_helo_restrictions%0A%23%20-o%20smtpd_sender_restrictions%3D%24mua_sender_restrictions%0A%23%20-o%20smtpd_recipient_restrictions%3D%0A%23%20-o%20smtpd_relay_restrictions%3Dpermit_sasl_authenticated%2Creject%0A%23%20-o%20milter_macro_daemon_name%3DORIGINATING%0A%5B…%5D”/]

Ca active les protocoles smtps et esmtp (submission) qui utilisent tous les deux SSL.

Ensuite on va ouvrir le fichier /etc/postfix/main.cf. Voici à quoi ressemble mon main.cf :

[pastacode lang=”markup” manual=”smtpd_banner%20%3D%20%24myhostname%20ESMTP%20%24mail_name%20(Debian%2FGNU)%0A%0Abiff%20%3D%20no%0A%0Aappend_dot_mydomain%20%3D%20no%0A%0Adelay_warning_time%20%3D%201h%0A%0Areadme_directory%20%3D%20no%0A%0A%23%20See%20http%3A%2F%2Fwww.postfix.org%2FCOMPATIBILITY_README.html%20–%20default%20to%202%20on%0A%23%20fresh%20installs.%0Acompatibility_level%20%3D%202%0A%0A%23%20Param%C3%A8tres%20TLS%0Asmtpd_tls_session_cache_database%20%3D%20btree%3A%24%7Bdata_directory%7D%2Fsmtpd_scache%0Asmtp_tls_session_cache_database%20%3D%20btree%3A%24%7Bdata_directory%7D%2Fsmtp_scache%0Asmtpd_sasl_security_options%20%3D%20noanonymous%0Asmtpd_tls_auth_only%20%3D%20yes%0Asmtp_use_tls%20%3D%20yes%0Asmtp_tls_note_starttls_offer%20%3D%20yes%0Asmtpd_tls_key_file%20%3D%20%2Fetc%2Fletsencrypt%2Flive%2Fmemodugeek.info%2Fprivkey.pem%0Asmtpd_tls_cert_file%20%3D%20%2Fetc%2Fletsencrypt%2Flive%2Fmemodugeek.info%2Fcert.pem%0Asmtpd_tls_CAfile%20%3D%20%2Fetc%2Fletsencrypt%2Flive%2Fmemodugeek.info%2Fchain.pem%0Asmtpd_tls_loglevel%20%3D%201%0Asmtpd_tls_received_header%20%3D%20yes%0Asmtpd_tls_session_cache_timeout%20%3D%203600s%0Atls_random_source%20%3D%20dev%3A%2Fdev%2Furandom%0Asmtpd_tls_security_level%20%3D%20may%0Asmtp_tls_security_level%20%3D%20may%0Asmtpd_tls_mandatory_protocols%20%3D%20!SSLv2%2C%20!SSLv3%0Asmtpd_tls_protocols%20%3D%20!SSLv2%2C!SSLv3%0Asmtp_tls_protocols%20%3D%20!SSLv2%2C!SSLv3%0Asmtpd_tls_exclude_ciphers%20%3D%20RC4%2C%20aNULL%0Asmtp_tls_exclude_ciphers%20%3D%20RC4%2C%20aNULL%0A%0A%23%20Restrictions%0Asmtpd_restriction_classes%20%3D%20greylisting%0Asmtpd_sender_restrictions%20%3D%20check_sender_access%20regexp%3A%2Fetc%2Fpostfix%2Ftag_as_originating.re%20%2C%20permit_mynetworks%2C%20permit_sasl_authenticated%2C%20check_sender_access%20mysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_sender.cf%2C%20check_sender_access%20regexp%3A%2Fetc%2Fpostfix%2Ftag_as_foreign.re%0Asmtpd_client_restrictions%20%3D%20check_client_access%20mysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_client.cf%0Asmtpd_recipient_restrictions%20%3D%20permit_mynetworks%2C%20permit_sasl_authenticated%2C%20reject_unauth_destination%2C%20reject_rbl_client%20zen.spamhaus.org%2C%20check_recipient_access%20mysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_recipient.cf%2C%20check_recipient_access%20mysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_policy_greylist.cf%0Asmtpd_relay_restrictions%20%3D%20permit_mynetworks%20permit_sasl_authenticated%20defer_unauth_destination%0Asmtpd_helo_restrictions%20%3D%20permit_sasl_authenticated%2C%20permit_mynetworks%2C%20check_helo_access%20regexp%3A%2Fetc%2Fpostfix%2Fhelo_access%2C%20reject_invalid_hostname%2C%20reject_non_fqdn_hostname%2C%20reject_invalid_helo_hostname%2C%20reject_unknown_helo_hostname%2C%20check_helo_access%20regexp%3A%2Fetc%2Fpostfix%2Fblacklist_helo%0A%0A%0Amyhostname%20%3D%20ns378077.ip-37-59-39.eu%0Aalias_maps%20%3D%20hash%3A%2Fetc%2Faliases%2C%20hash%3A%2Fvar%2Flib%2Fmailman%2Fdata%2Faliases%0Aalias_database%20%3D%20hash%3A%2Fetc%2Faliases%2C%20hash%3A%2Fvar%2Flib%2Fmailman%2Fdata%2Faliases%0Amyorigin%20%3D%20%2Fetc%2Fmailname%0Amydestination%20%3D%20ns378077.ip-37-59-39.eu%2C%20localhost%2C%20localhost.localdomain%0Arelayhost%20%3D%0Amynetworks%20%3D%20127.0.0.0%2F8%20%5B%3A%3A1%5D%2F128%0Amailbox_size_limit%20%3D%200%0Arecipient_delimiter%20%3D%20%2B%0Ainet_interfaces%20%3D%20all%0Ainet_protocols%20%3D%20all%0A%0Avirtual_alias_domains%20%3D%0Avirtual_alias_maps%20%3D%20hash%3A%2Fvar%2Flib%2Fmailman%2Fdata%2Fvirtual-mailman%2C%20proxy%3Amysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_forwardings.cf%2C%20proxy%3Amysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_email2email.cf%0Avirtual_mailbox_domains%20%3D%20proxy%3Amysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_domains.cf%0Avirtual_mailbox_maps%20%3D%20proxy%3Amysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_mailboxes.cf%0Avirtual_mailbox_base%20%3D%20%2Fvar%2Fvmail%0Avirtual_uid_maps%20%3D%20mysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_uids.cf%0Avirtual_gid_maps%20%3D%20mysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_gids.cf%0Asender_bcc_maps%20%3D%20proxy%3Amysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_outgoing_bcc.cf%0A%0A%23%20sasl%0Asmtpd_sasl_auth_enable%20%3D%20yes%0Abroken_sasl_auth_clients%20%3D%20yes%0Asmtpd_sasl_authenticated_header%20%3D%20yes%0A%0Agreylisting%20%3D%20check_policy_service%20inet%3A127.0.0.1%3A10023%0A%0Atransport_maps%20%3D%20hash%3A%2Fvar%2Flib%2Fmailman%2Fdata%2Ftransport-mailman%2C%20proxy%3Amysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_transports.cf%0Arelay_domains%20%3D%20mysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_relaydomains.cf%0Arelay_recipient_maps%20%3D%20mysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_relayrecipientmaps.cf%0Asmtpd_sender_login_maps%20%3D%20proxy%3Amysql%3A%2Fetc%2Fpostfix%2Fmysql-virtual_sender_login_maps.cf%0Aproxy_read_maps%20%3D%20%24local_recipient_maps%20%24mydestination%20%24virtual_alias_maps%20%24virtual_alias_domains%20%24sender_bcc_maps%20%24virtual_mailbox_maps%20%24virtual_mailbox_domains%20%24relay_recipient_maps%20%24relay_domains%20%24canonical_maps%20%24sender_canonical_maps%20%24recipient_canonical_maps%20%24relocated_maps%20%24transport_maps%20%24mynetworks%20%24smtpd_sender_login_maps%0Asmtpd_helo_required%20%3D%20yes%0A%0Asmtpd_client_message_rate_limit%20%3D%20100%0Amaildrop_destination_concurrency_limit%20%3D%201%0Amaildrop_destination_recipient_limit%20%3D%201%0A%0Aheader_checks%20%3D%20regexp%3A%2Fetc%2Fpostfix%2Fheader_checks%0Amime_header_checks%20%3D%20regexp%3A%2Fetc%2Fpostfix%2Fmime_header_checks%0Anested_header_checks%20%3D%20regexp%3A%2Fetc%2Fpostfix%2Fnested_header_checks%0Abody_checks%20%3D%20regexp%3A%2Fetc%2Fpostfix%2Fbody_checks%0Aowner_request_special%20%3D%20no%0A%0A%23%20Dovecot%0Adovecot_destination_recipient_limit%20%3D%201%0Asmtpd_sasl_type%20%3D%20dovecot%0Asmtpd_sasl_path%20%3D%20private%2Fauth%0Avirtual_transport%20%3D%20dovecot%0A%0Acontent_filter%20%3D%20amavis%3A%5B127.0.0.1%5D%3A10024%0Areceive_override_options%20%3D%20no_address_mappings%20″ message=”” highlight=”” provider=”manual”/]

C’est un main.cf que j’ai arrangé car de base ce fichier est bordélique avec aucune logique de positionnement des options. Ca serait bien trop compliqué de détailler toutes les options de ce fichier car 90% des options sont présentes par défaut à l’installation de Postfix puis d’ISPConfig et je n’ai regardé la signification que de quelques unes d’entre-elles.

Si vous voulez savoir à quoi correspond chaque option, je vous renvoi vers cette page qui est une traduction française de la doc de Postfix.

Pour ce qui nous intéresse, le SSL,  ça ne concerne que le bloc “Paramètres TLS”. Certaines de ces lignes sont déjà présentent après l’installation de Postfix + ISPConfig. Pensez à modifier les lignes smtpd_tls_key_file, smtpd_tls_cert_file et smtpd_tls_CAfile si vous souhaitez comme moi mettre le certificat Let’s Encrypt à la place de ceux d’origine.

Redémarrez postfix, ouvrez les ports 465 (smtps) et 587 (submission, une version amélioré du protocole smtp utilisant STARTTLS) et normalement ça devrait rouler.

2) Configuration Dovecot

Passons à Dovecot, le serveur pop. Dovecot a le SSL d’activé par défaut après l’installation de Dovecot + ISPConfig. Comme pour Postfix, si vous voulez remplacer les certificats par les certificats Let’s Encrypt, ouvrez le fichier /etc/dovecot/dovecot.conf et modifiez  les lignes ssl_cert et ssl_key.

Il ne reste plus qu’à redémarrer dovecot et à ouvrir le port 995.

Laisser un commentaire

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.