OPS345 Lab 7

From Littlesvr Wiki
Revision as of 22:58, 14 March 2022 by Andrew (talk | contribs)
Jump to navigation Jump to search

THIS PAGE IS A DRAFT, NOT READY FOR USE YET

SMTP Encryption

One thing we haven't spent time on last week is the connection from your email client to your email server. This will very often be on a very untrusted network, such as a free wifi you found in some random place.

In this lab we'll set up your MTA to accept encrypted incomming connections, so that it won't matter what sort of network your workstation computer or phone is connected to.

Email-servers.png

Sadly today there is still no widespread means to encrypt MTA->MTA SMTP connections, which means that fundamentally you cannot trust that your email hasn't been read or modified in transit. This is a problem we can't solve in this course, but we don't need to because it's a very large, global problem. A fix would require every single email server out there to comply with a brand new specfication which hasn't even been developed yet.


  • can't use the same keys generated in www lab, they're for the wrong FQDN
andrew@p51:~/prog/seneca/ops345/new$ sudo su -
root@p51:~# certonly --manual --preferred-challenges dns
certonly: command not found
root@p51:~# certbot certonly --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): email.asmith15.ops345.ca
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for email.asmith15.ops345.ca

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.email.asmith15.ops345.ca with the following value:

PdK1vlZnYMdBO7untofSCkfXH2ejk3EE019R7A90x7Q

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/email.asmith15.ops345.ca/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem
   Your cert will expire on 2022-02-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.cert.pem
root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.key.pem
root@p51:~# chown andrew ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.*
  • Put keys on the email server:
scp -P 2212 -i keys/ssh/ops345-all-aws-machines.pem keys/email.asmith15.ops345.ca.* andrew@34.202.103.43:~
[root@email andrew]# cp email.asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
[root@email andrew]# cp email.asmith15.ops345.ca.key.pem /etc/pki/tls/private/
  • configure postfix to enable encrypted connections from client software. add this to the bottom of main.cf:
# Settings to enable secure SMTP using my self-signed certificate:
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/pki/tls/private/email.asmith15.ops345.ca.key.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
tls_random_source = dev:/dev/urandom
smtpd_tls_loglevel = 1
  • test with telnet/EHLO: should say 250-STARTTLS
  • complete test will be done with thunderbird later
  • dovecot installed in previous lab, it needs very little configuration for our simple setup
  • /etc/dovecot/dovecot.conf:
  • Modify the protocols option so that Dovecot will work with IMAP connections, no POP3 or LMTP.
  • 10-ssl.conf:
ssl_cert = </etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
ssl_key = </etc/pki/tls/private/email.asmith15.ops345.ca.key.pem