Tag Archives: tls

Let's Encrypt Certificate for SMTP with STARTTLS

TLS Encryption

Let's Encrypt provides an easy way to get free certificates not only for web servers, but also for email servers like Postfix.

The way Let's Encrypt usually works requires you to setup a web server. Let's Encrypt sends you a challenge, and you have to prove ownership of the domain by providing a response to that challenge. You do this by placing the response in a certain URL on your web server:
http://www.yourserver.com/.well-known/acme-challenge/FgedPYS65N3HfwmM7IWY2...

That way you prove that you are the owner of the domain "yourserver.com". But there is another even easier way to prove ownership of a domain: DNS. You place the response in a specific TXT record of your domain: _acme-challenge.www.yourserver.com

  • You can use your domain hosting service (GoDaddy, Whois, etc.) to create a new TXT record.
  • The "certbot" command line client does all the rest in just one call.
  • Under Debian 9 and 10, "certbot" is part of the official package repository.
  • You can run certbot on any Linux client. You don't have to run it on the email server.

Example

In this example the public hostname of your mail server is mx.yourserver.com. Therefore you have to create a TXT record called _acme-challenge.mx.yourserver.com . The value of the TXT record is in the output of certbot.

# certbot certonly --manual --preferred-challenges dns -d mx.yourserver.com
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Plugins selected: Authenticator manual, Installer None 
Obtaining a new certificate 
Performing the following challenges: 
dns-01 challenge for mx.yourserver.com 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
NOTE: The IP of this machine will be publicly logged as having requested this 
certificate. If you're running certbot in manual mode on a machine that is not 
your server, please ensure you're okay with that. 
 
Are you OK with your IP being logged? 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(Y)es/(N)o: Y 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Please deploy a DNS TXT record under the name 
_acme-challenge.mx.yourserver.com with the following value: 
 
1A4RACHEISTBLUTWURST_egTVadkeiieikeieisfkfk
 
Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue 
Waiting for verification... 
Cleaning up challenges 
 
IMPORTANT NOTES: 
 - Congratulations! Your certificate and chain have been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/fullchain.pem 
   Your key file has been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/privkey.pem 
   Your cert will expire on 2020-02-15. To obtain a new or tweaked 
   version of this certificate in the future, simply run certbot 
   again. To non-interactively renew *all* of your certificates, run 
   "certbot renew" 
 - If you like Certbot, please consider supporting our work by: 
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate 
   Donating to EFF:                    https://eff.org/donate-le
Share

Security check for postfix (STARTTLS connection)

$ openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -starttls smtp -verify 3 -verify_return_error -debug -CApath /etc/ssl/certs -connect 1.2.3.4:25

"-tls1_2" forces the TLSv1.2 protocol. Make sure protocol and cipher list match.

"-verify 3" enables server certificate verification and sets the length of the certificate chain. In this case there are 3 certificates in the certificate chain, including the root CA. Make sure the public root CA certificate is in the "-CApath" directory. "-verify_return_error" enforces the certificate verification to succeed.

The "-cipher" option specifies the list of ciphers to be transferred to the server. The server then decides which of these ciphers to use. As we only give one cipher, we force the postfix server to only use this one. If the server does not support this cipher, openssl will return with an error.

If everything goes well, you will see a long output from the server (including the protocol and cipher from your openssl command line options) and something like "Verify return code: 0 (ok)". Quit the connection with the postfix server by typing "quit" and hit return.

Share

Security check for Apache 2.4 webserver (TLS)

You can use nmap to show what kind of ciphers your webserver is supporting.

List all supported protocols and ciphers of a webserver:
nmap --script=ssl-enum-ciphers -Pn -p 443 www.local.example

Set the following configuration options in you Apache server config:

SSLEngine on
SSLOptions +StrictRequire
SSLHonorCipherOrder on
SSLProtocol all -SSLv3

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 1024

SSLSessionCache "shmcb:/..."   (requires mod_socache_shmcb)
SSLSessionTickets off

SSLStrictSNIVHostCheck on

To get a list of all protocols and ciphers that your webserver supports you can use nmap:
$ nmap --script=ssl-enum-ciphers -Pn -p 443 mailserver.local.example

Share