HowTo – Force IMAPS and SMTPS (+ nice Roundcube features) + AMAVIS TLS

Hello guys and girls out there,

in this little HowTo, I’m gonna tell you some nice things to make your mail server even more secure!

This HowTo is based on postfix, dovecot (and Roundcube and amavisd-new) and I assume you have a running mail server!

Updated as of July 2015
At the moment of writing I’m using
Postfix v2.11.0
Dovecot v2.2.9
Roundcube v1.1.2
amavisd-new v2.7.1

You can see your versions by using these commands:

postconf -d | grep mail_version
dovecot --version
aptitude versions amavisd-new

(Roundcube –> About in the upper left corner)

 

Disable IMAP protocol and force IMAPS

Older versions of dovecot had an array in the file

/etc/dovecot/dovecot.conf

If you find an entry called protocols make sure to uncomment it and remove the imap from it and add imaps.
(I would recommend that you don’t use pop3 or pop3s anymore!)

 

However, in newer versions there is just an include specified by the entry

!include_try /usr/share/dovecot/protocols.d/*.protocol

(If you want to disable pop3 and pop3s make sure to delete /usr/share/dovecot/protocols.d/pop3d.protocol ;))

Okay, we could just ignore some warnings and add an entry like Dovecot did it before and add our own protocols array. This will result in something like this

Jul 17 22:01:22 dustplanet dovecot: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:104: 'imaps' protocol can no longer be specified (use protocols=imap). to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } }

Now we get a hint!

Navigate to

/etc/dovecot/conf.d/10-master.conf

and change the port of the inet_listener imap to 0

service imap-login {
  inet_listener imap {
    port = 0
  }
  ...
}

Now restart your dovecot via

service dovecot

And test that your server responds via SSL/TLS and port 993 and refuses port 143

telnet mail.example.com 143
telnet mail.example.com 993

 

Force encryption of SMTP and SMTPD

This one is easy and you just need to change two values in your postconf config file

postconf -e smtpd_tls_security_level=encrypt
postconf -e smtp_tls_security_level=encrypt
postfix reload

Now if you test port 25 you should get a warning to issue a STARTTLS command

telnet mail.example.com 25
MAIL FROM:[email protected]

Mailserver responds with

530 5.7.0 Must issue a STARTTLS command first

 

Amavis and TLS

You might use amavisd-new as a spam and virus filter.
Then it can occur that some of these messages show up in your mail.log and the mails are not send.

Jul 18 01:05:11 dustplanet amavis[18922]: (18922-01) discarding unprocessed reply: 221 2.0.0 Bye
Jul 18 01:05:11 dustplanet amavis[18922]: (18922-01) (!)mail_via_smtp: error during QUIT: errno=
Jul 18 01:05:11 dustplanet amavis[18922]: (18922-01) (!)FWD from  -> ,BODY=7BIT 451 4.5.0 From MTA(smtp:[127.0.0.1]:10025) during fwd-ru
ndown-1 (Negative SMTP response to RSET: 530 5.7.0 Must issue a STARTTLS command first at (eval 134) line 1037.): id=18922-01
Jul 18 01:05:12 dustplanet amavis[18922]: (18922-01) Blocked MTA-BLOCKED {RejectedOpenRelay}, [87.142.164.208]:51262  -> , Queue-ID: A93
34788D9, Message-ID: <[email protected]>, mail_id: kMVr0ucODUYs, Hits: 0.108, size: 691, 2165 ms


Jul 18 01:03:17 dustplanet postfix/smtp[18739]: 3AA33788B0: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.29, delays=0.27/0.01/0.01/0, dsn=4.7.4, status=def
erred (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1])

If so, you need to disable TLS for amavis to make sure mails can be send.

In /etc/postfix/master.cf add the following line to amavis service type

-o smtp_tls_security_level=none

and to 127.0.0.1:10025 the following

-o smtpd_tls_security_level=none

My configuration like e.g. like this

# The next two entries integrate with Amavis for anti-virus/spam checks.
amavis      unix    -       -       -       -       3       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
  -o smtp_tls_security_level=none
127.0.0.1:10025 inet    n       -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
  -o smtpd_tls_security_level=none

 

Roundcube 1×1 hacks

No, I’m just kidding but want to share some nice config values I found that are not that well documented.

Use SSL or TLS to connect to the default host

With the ssl:// or tls:// option you can connect securely 🙂

$config['default_host'] = 'ssl://localhost' # for example

 

The support_url supports a mailto:// link!

That means you can put something like this in there

$config['support_url'] = 'mailto:[email protected]';

 

Force HTTPS with a simple config change

No need to explain that one

$config['force_https'] = true;

 

Auto append a domain after the username at login

Normally I would need to login via [email protected]
Since I only use one domain I would like to get rid of typing @dustplanet.de all the time.
Luckily you can 🙂

$config['username_domain'] = 'dustplanet.de';

Now you can login via admin
(This one is far more powerful, see http://trac.roundcube.net/wiki/Howto_Config)

Change default SMTP port

Simple as this

$config['smtp_port'] = 465;

Now I won’t forget my config settings and hope this little information sheet of my setup helps anyone 🙂

Feel free to comment/ask anything.
Cheers,
xGhOsTkiLLeRx