OPS345 Lab 7: Difference between revisions

From Littlesvr Wiki
Jump to navigation Jump to search
Line 19: Line 19:
* Copy your new certificate to ~yourusername/ops345/keys/certbot/'''email.yourusername.ops345.ca.cert.pem''' on the workstation, for safekeeping.
* Copy your new certificate to ~yourusername/ops345/keys/certbot/'''email.yourusername.ops345.ca.cert.pem''' on the workstation, for safekeeping.
** Make sure the keys are owned by your regular user, not root.
** Make sure the keys are owned by your regular user, not root.
* Copy the two keys into the appropriate directories (/etc/pki/tls/certs/ and /etc/pki/tls/private/) on your email server.


* Put keys on the email server:
<source>
scp -P 2212 -i keys/ssh/ops345-all-aws-machines.pem keys/email.asmith15.ops345.ca.* andrew@34.202.103.43:~
[root@email andrew]# cp email.asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
[root@email andrew]# cp email.asmith15.ops345.ca.key.pem /etc/pki/tls/private/
</source>
* configure postfix to enable encrypted connections from client software. add this to the bottom of main.cf:
* configure postfix to enable encrypted connections from client software. add this to the bottom of main.cf:
<source># Settings to enable secure SMTP using my self-signed certificate:
<source># Settings to enable secure SMTP using my self-signed certificate:

Revision as of 00:55, 15 March 2022

THIS PAGE IS A DRAFT, NOT READY FOR USE YET

SMTP Encryption

One thing we haven't spent time on last week is the connection from your email client to your email server. This will very often be on a very untrusted network, such as a free wifi network you found in some random place.

In this lab we'll set up your MTA to accept encrypted incomming connections, so that it won't matter what sort of network your workstation computer or phone is connected to.

Email-servers.png

Sadly today there is still no widespread means to encrypt MTA->MTA SMTP connections, which means that fundamentally you cannot trust that your email hasn't been read or modified in transit. This is a problem we can't solve in this course, but we don't need to because it's a very large, global problem. A fix would require every single email server out there to comply with a brand new specfication which hasn't even been developed yet.

Generate encryption keys

You can't use the keys you've generated in lab 5 because they were tied to the hostname youruserid.ops345.ca, and the email server has a different FQDN: email.youruserid.ops345.ca.

  • Use certbot again on your workstation to generate a key pair for email.youruserid.ops345.ca. Look at the lab 5 notes if you need a reminder for how to do it. But don't overwrite your web server's keys by mistake.
  • Copy your new private key to ~yourusername/ops345/keys/certbot/email.yourusername.ops345.ca.key.pem on the workstation, for safekeeping.
  • Copy your new certificate to ~yourusername/ops345/keys/certbot/email.yourusername.ops345.ca.cert.pem on the workstation, for safekeeping.
    • Make sure the keys are owned by your regular user, not root.
  • Copy the two keys into the appropriate directories (/etc/pki/tls/certs/ and /etc/pki/tls/private/) on your email server.
  • configure postfix to enable encrypted connections from client software. add this to the bottom of main.cf:
# Settings to enable secure SMTP using my self-signed certificate:
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/pki/tls/private/email.asmith15.ops345.ca.key.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
tls_random_source = dev:/dev/urandom
smtpd_tls_loglevel = 1
  • test with telnet/EHLO: should say 250-STARTTLS
  • complete test will be done with thunderbird later
  • dovecot installed in previous lab, it needs very little configuration for our simple setup
  • /etc/dovecot/dovecot.conf:
  • Modify the protocols option so that Dovecot will work with IMAP connections, no POP3 or LMTP.
  • 10-ssl.conf:
ssl_cert = </etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
ssl_key = </etc/pki/tls/private/email.asmith15.ops345.ca.key.pem