Ssl – Dovecot/Postfix with SSL on EC2

amazon ec2dovecotpostfixssl

I've been running through a tutorial at: http://www.cerebellumstrategies.com/amazon-linux-postfix-dovecot/ and everything works through the entire tutorial right up to checking the authentication.

While inside the instance, I can run:

[ec2-user@domU-... ~]$ openssl s_client -starttls smtp -connect localhost:25
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
140326462789448:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 238 bytes and written 148 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[ec2-user@domU-12-31-39-05-61-27 ~]$

But from my own laptop:

Drew-Sonnes-MacBook-Pro:~ drew$ openssl s_client -starttls smtp -connect mail.symbiosislaboratories.com:25
connect: Connection refused
connect:errno=61

I have port 25 open in my security group (and have for a few weeks). For the purpose of debugging my problem, I have iptables turned off:

[ec2-user@domU-... ~]$ sudo service iptables status
iptables: Firewall is not running.

I have requested my reverse DNS and port 25 open from Amazon, and they put that through a couple of days ago. I've made sure my DNS is resolving correctly. I've run through the tutorial, fixed typos, double & triple checked my settings, and can't find anything I've done wrong. Does anyone else know of anything else which would be stopping this?

Best Answer

This is with SASL. Key is the key, pem is the CA file, and crt and issued cert.

/etc/dovecot/conf.d/main.cf:

readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
mailbox_size_limit = 0
allow_percent_hack = no
## Specify the keys/certificates
smtpd_tls_key_file = /etc/pki/tls/private/localhost.key
smtpd_tls_CAfile = /etc/pki/tls/cert.pem
smtpd_tls_cert_file = /etc/ssl/certs/localhost.crt
smtpd_tls_security_level = may
##

/etc/dovecot/master.cf:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet    n       -       n       -       -      smtpd    -o smtpd_sasl_auth_enable=yes
smtps     inet    n       -       n       -       -      smtpd    -o smtpd_sasl_auth_enable=yes

Related Solutions

Postfix “warning: cannot get RSA private key from file”

The content of main.cf does not necessarily represent your active Postfix configuration. Check the output of postconf -n for the following two parameters:

smtpd_recipient_restrictions = 
  permit_mynetworks, 
  permit_sasl_authenticated, 
  reject_unauth_destination
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

If $mynetworks is restricted to localhost and $smtpd_recipient_restrictions shows permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination as the first three restrictions, then you are not an open relay.

Verify that /etc/ssl/private/postfix.pem contains a valid key and /etc/ssl/certs/postfix.pem contains a valid certificate:

openssl rsa -in /etc/ssl/private/postfix.pem -check -noout
openssl x509 -in /etc/ssl/certs/postfix.pem -text -noout

You also need to check if Postfix can access the file. On my server, the permissions on /etc/ssl/private are

drwx--x---  2 root ssl-cert  4096 Aug 03 01:55 private/

Thus simply chowning the key file won't do you any good, because the directory permissions prevent Postfix from accessing any file in it.

Try simplifying your setup. Put certificate and key into a single file:

cat /etc/ssl/*/postfix.pem > /etc/postfix/server.pem
chmod 640 /etc/postfix/server.pem
chown postfix:postfix /etc/postfix/server.pem

and change your main.cf like this:

smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

Restart Postfix and see if the server can access the key.

SSL Error: self signed certificate in certificate chain

You don't need the root certificate in the chain (though I don't believe having it hurts anything).

That error is more of a warning from openssl in this case I think. I believe what it means is just that openssl doesn't know that it should trust the root certificate of that chain. If you pull out just the root certificate from that bundle and point that openssl command at it with the -CAfile argument I expect that "error" should go away.

Inside the sf_bundle.crt file you should see two

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

blocks (possibly with plain text above each block showing what certificate the block contains). If you split each of those blocks into its own file so you end up with block1.crt and block2.crt you should be able to run openssl x509 -noout -subject -in <file.crt> on each of them to get their respective certificate subject lines.

Assuming that block2.crt has a subject line of /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority you should then be able to run openssl s_client -CAfile block2.crt -connect imap.domain.ltd:465 and that should, hopefully, connect without giving you the self-signed certificate error.

Best Answer

Related Solutions

Postfix “warning: cannot get RSA private key from file”

SSL Error: self signed certificate in certificate chain

Related Topic