Adding SSL/TLS Encryption to Postfix, Apache & Zarafa

SSL/TLS encryption can seem overly complicated. While this is true of the actual cryptography, it’s quite easy to implement.

We’ll be working with free StartSSL certificates. StartSSL certificates are recognized by all browsers, operating systems and mobile devices that I have tried. This solves any of the “not trusted” error messages that can appear when using self signed certificates.

Before we begin we need to make sure that your server has a sufficient source of randomness to accommodate encrypted connections.  Since we’re using a VPS and don’t have physical access to the machine, we can use haveged:

apt-get install haveged

You will also need to make sure that you have access to either the postmaster@, webmaster@ or hostmaster@ email addresses for the domain name you will be using.  StartSSL uses these accounts for verification when obtaining your certificate. If mail for your domain is already being delivered to your VPS you can setup these addresses to go to your account using an alias:

nano /etc/aliases

In this file, add the aliases you need, followed by a colon and your username:

postmaster: <username>
hostmaster: <username>
webmaster: <username>

Each time you modify the aliases file, you need to run:

newaliases

 

Getting your certificate

Head over to StartSSL and sign up for an account.  Once you are signed up and logged in, select the Validations Wizard and then select Domain Name Validation.  Here you will enter your domain name.  It will then send an email with a validation code to either postmaster@, hostmaster@ or webmaster@ your domain name.  Once you receive this email, enter the code to complete the validation. [1]

Now we can generate a Certificate Signing Request to submit to StartSSL:

mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Select Certificates Wizard and then select Web Server SSL/TLS Certificate. The next step will ask if you want to generate a private key. Since we have already done that by generating our CSR, select Skip. Paste your CSR in the box and select Continue. Choose the domain the certificate is for & select Continue.

The next step will ask you to add a subdomain.  You most likely want to add www here, this way your visitors can visit https://www.yourdomain.tld.  Caution: Because we are also running a mail server, we need to make sure the name on our certificate matches the hostname of our droplet.  As long as your droplet has a hostname of http://www.yourdomain.tld or just yourdomain.tld you won’t run into any issues with a mismatched hostname.

Press Continue to complete the process.

Your certificate will appear in a text field. Lets copy our new certificate and paste it into a new file:

nano /etc/apache2/ssl/server.pem

Paste your certificate into this file and exit saving your changes.

 

Installing your certificate

Next, we’re going to create the certificate chain file that apache will use. It contains your certificate, and StartSSL’s intermediate certificate. (Including StartSSL’s root cert is not necessary because browsers already include it.)  Download the intermediate certificate from StartSSL:

wget https://www.startssl.com/certs/sub.class1.server.ca.pem

Now combine our new certificate with StartSSL’s intermediate certificate:

cat server.pem sub.class1.server.ca.pem > server-bundle.pem

You should now have five files:

ls -1 /etc/apache2/ssl
server-bundle.pem
server.csr
server.key
server.pem
sub.class1.server.ca.pem

Let’s protect these files:

chmod -R 400 /etc/apache2/ssl

Before we get too far, now is a good time to back these files up. I would recommend archiving them and storing them somewhere other than your VPS:

tar -czf ~/sslcertbackup.tar.gz /etc/apache2/ssl/*

Log into your server using WinSCP (or equivalent) and download this file to store somewhere safe.

Now the fun part! Let’s use our new certificate to enable encryption in apache:

Enable some plugins in apache:

a2enmod ssl
a2enmod headers
a2enmod rewrite

And enable the apache’s default SSL site:

a2ensite default-ssl

Now we edit the default-ssl file to add our certificate:

nano /etc/apache2/sites-enabled/default-ssl.conf

Find these two lines and point them to your certificate:

SSLCertificateFile    /etc/apache2/ssl/server-bundle.pem
SSLCertificateKeyFile /etc/apache2/ssl/server.key

To add Z-Push to the SSL site, add these lines to the end of the file, just before <VirtualHost>:

Alias /Microsoft-Server-ActiveSync /usr/share/z-push/index.php
<Directory /usr/share/z-push>
php_flag magic_quotes_gpc off
php_flag register_globals off
php_flag magic_quotes_runtime off
php_flag short_open_tag on
</Directory>

Restart apache to load the plugins and apply our changes:

service apache2 restart

Now to enable encryption in Zarafa:

nano /etc/zarafa/gateway.cfg

To enable IMAPS and/or POP3S change these lines:

pop3_enable = no
pop3s_enable = yes
imap_enable = yes
imaps_enable = yes

Remember: We need to leave unencrypted imap enabled as this is what our SASL daemon uses.

And point these lines to our certificate:

ssl_private_key_file = /etc/apache2/ssl/server-bundle.pem
ssl_certificate_file = /etc/apache2/ssl/server.key

To add our certificate to the Zarafa iCal gateway:

nano /etc/zarafa/ical.cfg

Disable unencrypted iCal and enable encrypted iCal:

ical_enable = no
icals_enable = yes

And point these lines to our certificate:

ssl_private_key_file = /etc/apache2/ssl/server-bundle.pem
ssl_certificate_file = /etc/apache2/ssl/server.key

Restart these two services to apply the changes:

service zarafa-gateway restart
service zarafa-ical restart

Now to configure Postfix to use our certificate: [2]

postconf -e 'smtp_tls_security_level = may'
postconf -e 'smtp_tls_ciphers = medium'
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_tls_ciphers = medium'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_cert_file = /etc/apache2/ssl/server-bundle.pem'
postconf -e 'smtpd_tls_key_file = /etc/apache2/ssl/server.key'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = server.yourdomain.tld' # set this to match your Digital Ocean hostname

Now that we have encryption enabled, we can enable port 587 for message submission. For this we need to edit master.cf:

nano /etc/postfix/master.cf

Now uncomment the line:

submission inet n      -       n       -       -       smtpd

As always, reload Postfix to apply our changes:

service postfix reload

 

[Optional] Redirect HTTP to HTTPS

To disable unencrypted access to webmail and Z-Push:

a2dissite 000-default

To redirect unencrypted connections to HTTPS, we’ll create a redirect site:

nano /etc/apache2/sites-available/redirect.conf

Paste these lines into the file and update it to match your domain name:

<VirtualHost 0.0.0.0:80>
    ServerName www.yourdomain.tld
    ServerAlias yourdomain.tld
    Redirect permanent / https://www.yourdomain.tld/
</VirtualHost>

Now enable the site and reload apache:

a2ensite redirect
service apache2 reload

 

[Bonus] Setting up Forward Secrecy, OCSP Stapling & Strict Transport Security:

Forward secrecy has become very important as of late.  We can enable it with just a few simple modifications.

First, we’ll configure apache:

nano /etc/apache2/mods-enabled/ssl.conf

Find the line SSLCipherSuite and change it to the following. Add SSLHonorCipherOrder on just above:

SSLHonorCipherOrder on
SSLCipherSuite -ALL:ECDH+HIGH:DH+HIGH:-3DES:DES-CBC3-SHA:!CAMELLIA:!aNULL:!ADH:!MD5

These lines set Elliptic Curve ciphers first, followed by the slower Diffie Hellman ciphers. Both of these cipher sets offer forward secrecy. Finally we add a legacy 3DES cipher at the end for compatibility with older clients. 3DES is preferable over RC4 for security. [3]

Enable a stronger elliptic curve:

openssl ecparam -name secp384r1 >> /etc/apache2/ssl/server-bundle.pem

Caution: Note the double >>.  Using only one will overwrite your certificate file.

Next we enable forward secrecy in Postfix. First we generate our own DH parameters: [4]

openssl dhparam -out /etc/postfix/dh512.pem 512
openssl dhparam -out /etc/postfix/dh1024.pem 1024

Next we add them to Postfix and ensure EECDH is set to strong:

postconf -e 'smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem'
postconf -e 'smtpd_tls_dh1024_param_file = /etc/postfix/dh1024.pem'
postconf -e 'smtpd_tls_eecdh_grade = strong'

And reload Postfix:

service postfix reload

Now that we have forward secrecy enabled. Lets move on to OCSP Stapling and Strict Transport Security: [5][6]

nano /etc/apache2/sites-enabled/default-ssl.conf

Add this line near the top of your file around DocumentRoot:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

Add these lines around SSLCertificateFile:

SSLUseStapling on
SSLStaplingResponseMaxAge 43200
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

And restart apache:

service apache2 restart

Now head over to Qualys’s SSL Labs to test your server.  With all of these settings in place, you should receive an A+ rating.

You can also check to make sure encryption is working on your mail server by going over to CheckTLS.

As always, if you notice any errors, omissions or have anything to add that would make this tutorial better, please let me know in the comments below.

References:
1. https://konklone.com/post/switch-to-https-now-for-free#register-with-startssl
2. https://help.ubuntu.com/community/Postfix
3. https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
4. http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
5. https://www.grc.com/securitynow.htm#453
6. https://www.grc.com/securitynow.htm#412

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s