Tagged: ssl Toggle Comment Threads | Keyboard Shortcuts

  • Jay Versluis 3:34 pm on January 3, 2015 Permalink | Reply
    Tags: dovecot, , ssl,   

    Categories: Linux, Plesk ( 86 )

    How to install and secure Dovecot in Plesk 12 

    dovecotI’ve just installed the Dovecot Mail Service on one of my Plesk 12 servers. It’s an alternative to the old favourite Courier IMAP/POP and a new addition in Plesk 12.

    Dovecot does more or less the same as Courier (i.e. lets you receive mail), but it’s a bit more configurable and debug friendly. It also offers server-side mail filtering which is accessible via the Plesk Webmail services Roundcube and Horde.

    In this article I’ll show you how to install Dovecot in Plesk 12, and how to add your own SSL certificates for mail. In my previous article I’ve explained how to do this with the standard Courier Mail service.

     

    Installing Dovecot in Plesk 12

    Head over to

    • Tools and Settings (or the Server Tab)
    • under the Plesk heading
    • Updates and Upgrades

    Select Add or Remove Components and under Mail Hosting Features, find the option for Different IMAP/POP3 server:

    Screen Shot 2015-01-03 at 15.14.37

    You can only install either Courier or Dovecot. Switching will automatically uninstall the component you currently have and instead install the other one.

    Note that switching Courier for Dovecot will preserve all mailboxes and will not affect your outgoing mail services. Give Plesk a moment until your see the “installation has finished” message.

    You’re now running Dovecot!

     

    Patching Dovecot SSL Certificates

    As with Courier, Dovecot will use self-signed certificates for secure connections. This means that a nasty window is likely to pop up when clients connect. You can suppress this window by specifying your own SSL Certificates.

    Screen Shot 2015-01-03 at 15.12.08

     

    The default configuration file for Dovecot is in /etc/dovecot/dovecot.conf. However the file states that any changes you make here are wiped when an upgrade comes along. Instead, take a look at the /etc/dovecot/conf.d/ directory in which you’ll find three files by default:

    • 10-plesk-security.conf
    • 15-plesk-auth.conf
    • 90-plesk-sieve.conf

    You can add your own configuration snippets here, each beginning with a number and ending with .conf. The lower the number, the earlier your snippet is loaded. The higher the number, the later it is loaded. You get the picture.

    Let’s create /etc/dovecot/conf.d/5-ssl.conf for our purposes. Because I had already configured my certificates for Courier they are still in /usr/share/imapd.pem – but feel free to place your .pem files anywhere you like. Here’s what my file looks like:

    # SSL Certificates for Dovecot are defined here
    
    ssl = yes
    # Path to your Certificate, preferred permissions: root:root 0444
    ssl_cert = </usr/share/imapd.pem
    # Path to your Private Key, preferred permissions: root:root 0400
    ssl_key = </usr/share/imapd.pem
    

    Dovecot lets you have separate files for the certificate and the private key, something that’s not possible in Courier as far as I know. Dovecot is also happy to keep those in the same file though as in my example, and as in Courier. Easy going I say!

    For the changes to take effect we need to restart the Plesk Mail Service like so:

    /usr/local/psa/admin/sbin/mailmng --restart-service

    That’s it!

     

    How do I add a certificate for outgoing mail?

    Postfix (and QMail) deal with sending mail, Dovecot and Courier only deal with receiving it. I’ve described how to add SSL Certificates to Postfix in my article about Courer.

     

    Further Reading

     





     
    • prupert 2:32 pm on January 18, 2015 Permalink | Reply

      You may want to add the following directives for added security:

      Strong DH params

      ssl_dh_parameters_length = 2048

      Disable insecure SSL protocols

      ssl_protocols = !SSLv2 !SSLv3

      • Jay Versluis 3:35 pm on January 18, 2015 Permalink | Reply

        Thank you for the tip, prupert! Very much appreciated!

    • good advise 4:30 pm on September 22, 2015 Permalink | Reply

      for dovecot in debian/ubuntu you have to add a > before the paths otherwise it gives an error.
      i wasted a few hours for this little detail. also in debian/ubuntu use

      Path to your Certificate, preferred permissions: root:root 0444

      ssl_cert = </path/to/cert.pem

      Path to your Private Key, preferred permissions: root:root 0400

      ssl_key= </path/to/private.key

    • Patrick 5:29 pm on December 9, 2015 Permalink | Reply

      I followed the steps, but when i open ssl test i get the following message:

      :993
      CONNECTED(00000003)
      write:errno=104

      no peer certificate available

      No client certificate CA names sent

      SSL handshake has read 0 bytes and written 249 bytes

      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE

      • Jay Versluis 11:24 pm on December 9, 2015 Permalink | Reply

        Which SSL test did you use? What were the results before you patched the certificates (i.e. Please default)?

    • Patrick 9:15 am on December 10, 2015 Permalink | Reply

      I used this “openssl s_client -showcerts -connect mail.myserver.com:993” to test the SSL.

      After loading the new SSL certificate my email stops working as-well.

      Before patching, the results showed the default PLESK certificate.

    • Patrick 1:58 pm on December 10, 2015 Permalink | Reply

      I also noticed that i’m not able to access my mail. Webmail login stops working, and imap connections are closed.

      • Jay Versluis 2:05 pm on December 10, 2015 Permalink | Reply

        Oh yes, I had that problem on a couple of systems too. I’m sure there’s a perfectly logical explanation for it, and with several decades of research we’ll probably get to the bottom of it.

        But a much easier solution is to ditch Dovecot and use Courier instead. I know it makes zero sense, but I’ve noticed that on some systems, Dovecot just doesn’t want to work – and on others, I have trouble with Courier. They’re really easy to switch, and all your mail account settings are preserved.

    • Patrick 3:49 pm on December 10, 2015 Permalink | Reply

      ok i will try that out, glad to know if not the only one experiencing this issue. Thanks alot for your help. Appreciate it 🙂

      • Jay Versluis 4:21 pm on December 10, 2015 Permalink | Reply

        Any time! Out of interest, what operating system are you using? I’ve had these issues with both CentOS 6 and 7, with plain vanilla installations. Let me know and I’ll forward the issue to the Plesk team – they love fixing things 😉

    • Patrick 4:43 pm on December 10, 2015 Permalink | Reply

      I’m using ‪CentOS 6.7, it’s a new setup. Dedicated server from 1and1.

      I just tried courier, followed your other article. I am getting the exact error 🙁
      (CERT OK fails on TLS check.)

      This is weird. Would you be able to take a look for me? I don’t mind paying for the service.

      • Jay Versluis 5:26 pm on December 10, 2015 Permalink | Reply

        Sure Patrick, I’ll see what I can discover. I can’t make any promises, but I have a few ideas. Head over here to make a payment, we’ll discuss everything else via email:

        http://wphosting.tv/support/plesk-and-server-support/

        • Daniel McDonald 7:47 pm on April 5, 2016 Permalink | Reply

          Yes, i followed that instructions.
          as i deleted the 10-ssl.cnf thing it just worked. :-S
          uhm

    • Arno T 7:41 pm on September 30, 2016 Permalink | Reply

      I’ve had a good bit of trouble getting it to work and testing it correctly.
      Here is my configuration

      /etc/dovecot/conf.d/5-custom-ssl.conf
      for debugging

      verbose_ssl = yes

      ssl = yes

      Path to your Certificate, preferred permissions: root:root 0444

      ssl_cert = </usr/local/etc/ssl/dovecot-cert.pem

      Path to your Private Key, preferred permissions: root:root 0400

      ssl_key = </usr/local/etc/ssl/dovecot-key.pem

      Path to your CA file,

      ssl_ca = </usr/local/etc/ssl/comodo-positiveSSL/AddTrustExternalCARoot.crt
      ssl_ca = </usr/local/etc/ssl/comodo-positiveSSL/COMODORSAAddTrustCA.crt
      ssl_ca = </usr/local/etc/ssl/comodo-positiveSSL/COMODORSADomainValidationSecureServerCA.crt

      ssl_verify_client_cert = yes
      auth_ssl_require_client_cert = yes

      #auth_ssl_username_from_cert = yes

      #EOF

      openssl s_client -CApath /etc/ssl/certs -CAfile /etc/ssl/certs/ca-bundle.crt -cert ./postfix-cert.pem -key ./postfix-key.pem -connect smtp.foobar.com:110 -starttls pop
      openssl s_client -CApath /etc/ssl/certs -CAfile /etc/ssl/certs/ca-bundle.crt -cert ./postfix-cert.pem -key ./postfix-key.pem -connect smtp.foobar.com:143 -starttls imap

      Post about Postfix & Dovecot, *(post is still under moderation)
      https://talk.plesk.com/threads/postfix-dovecot-cert-error.334931/#post-808783

  • Jay Versluis 3:50 pm on December 3, 2014 Permalink | Reply
    Tags: ssl,   

    Categories: Linux, Plesk ( 86 )

    How to secure SMTP, POP and IMAP connections in Plesk 

    Plesk-LogoYou’ve installed an SSL Certificate to secure your Plesk Panel, you’ve tested it with an SSL checker and sure enough: the ugly warning window doesn’t bother you or your customers anymore.

    But your email client still says that the server doesn’t have a valid certificate. What gives?

    The secret is this: SMTP, IMAP and POP3 use their own certificates which are not related to the ones you setup in Plesk to secure https connections. By default the mail services use auto-generated self-signed certificates.

    Sadly as of Plesk 12 there is still no way to manage those in the web interface – but it’s relatively easy to fix on the command line. Let’s go through this step by step.

    These instructions are for Plesk 12 on CentOS 6 and CentOS 7, using the default Courier mail service. You can also install an alternative mail service called Dovecot in Plesk 12. I’m discussing how to install Dovecot over here.

     

    Default Certificates

    We need to replace the following three files (default permissions in brackets):

    • /etc/postfix/postfix_default.pem (600)
    • /usr/share/imapd.pem (400)
    • /usr/share/pop3d.pem (400)

    Those are the culprits for SMTP, IMAP and POP3. We need to add our own private key and the certificate of a domain associated with this server and remove the default certificates.

    Before we begin, make a safety copy of them like this:

    mv /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.old
    mv /usr/share/imapd.pem /usr/share/imapd.old
    mv /usr/share/pop3d.pem /usr/share/pop3d.old

    Here we rename the original files to .old files – in case anything goes wrong, simply rename them back into .pem files.

     

    Add your own certificate

    We need the same file three times, so we’ll start by making one for the SMTP service. Create a new file like this:

    vi /etc/postfix/postfix_default.pem
    

    and paste first the private key, followed by your certificate into this file. It will look something like this:

    -----BEGIN PRIVATE KEY-----
    MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
    EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
    IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
    l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
    6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
    ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
    N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
    HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
    gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
    St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
    EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
    Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
    JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
    AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
    /torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
    SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
    04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
    knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
    LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
    MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
    aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
    WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
    AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
    OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
    T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
    JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
    Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
    PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
    aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
    TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
    LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
    BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
    dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
    AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
    NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
    b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
    -----END CERTIFICATE-----
    

    The exact same file can be used for both IMAP and POP3 so we can simply copy it to these two new locations:

    cp /etc/postfix/postfix_default.pem /usr/share/imapd.pem
    cp /etc/postfix/postfix_default.pem /usr/share/pop3d.pem
    

    These two files had 400 permissions by default so that only root can read them, and no one can change them. Let’s adhere to this and apply the same permissions:

    chmod 400 /usr/share/imapd.pem
    chmod 400 /usr/share/pop3d.pem
    

     

    Restart Plesk Mail Services

    For the changes to take effect we’ll need to restart all Plesk mail services:

    /usr/local/psa/admin/sbin/mailmng --restart-service
    

    And that’s it! Now that pesky warning isn’t going to come up anymore when you access Plesk mail with an email client.

     

    Adding CA Certificates

    The above is enough to suppress the usual warning windows in email clients, however if you’re an avid SSL enthusiast you’ll notice that we’ve not added any CA Certificates to the above .pem files. In essence those tell a client that our certificate is valid – otherwise the client would only have our word for it.

    You can add the combined CA Certificate to the end of the three .pem files in addition to the private key and your own certificate. It’s not strictly necessary, but doing this means you will pass strict SSL tests.

    Thanks to Mike Yrabedra for this tip, and the test URL below!

    Testing your mail services

    Mike also found a wonderful service that lets you check an email address which will flag up certificate warnings and exceptions – courtesy of CheckTLS:

    Simply hack in your email address and you’ll see if your certificate is installed properly. Note that to pass the test, your email address must match the domain on the certificate. For example, if your address is you@domain.com, but your certificate is for yourdomain.com then the test will fail the “Cert OK” field.

    Screen Shot 2014-12-04 at 12.49.23

     

    Wait – where do I find my private key and certificate?

    If you’re using the same certificate for mail that you’re using to secure Plesk, simply head over to

    • Tools and Settings (or the Server Tab)
    • Security Settings
    • SSL Certificates
    • click on your certificate from the list
    • scroll down to find plain text sections for your private key and certificate

     

    Wait – where do I find that CA Certificate you speak of?

    Your certificate provider will give that to you. Some providers call it “intermediate CA certificate”. They usually have several versions of the same thing. Look for a combined version. In essence it’s two plain text blocks, very similar to the ones I’ve shown you above.

    For example, the RapidSSL CA certificates can be found here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548

    Further Reading





     
    • Mark 11:31 am on September 20, 2016 Permalink | Reply

      Hi guys. A great article but I have a question if I may. I have a VPS which has the default Parallels certificate in the postfix_default.pem file. This is used across the VPS for all domains hosted on it (under one IP address). I bought a separate SSL covering 3 domains being http://www.mydomain.co.uk, mydomain.co.uk and mail.mydomain.co.uk which is installed and working correctly but on port 443.
      I’d like to use port 465 SSL in outlook and need to append/add/include the new certificate, private key and CA certificate to the existing one in the postfix default file. The question is, how do I append it as I know there is a correct format.
      Do I need both Private Keys? What’s the format for adding them? I don’t want to simply overwrite the existing default certificiate as this new SSL on applies to 3 domains out of the 30 hosted.
      Any help would be massively appreciated.
      Kind regards
      Mark.

      • Jay Versluis 6:20 pm on September 23, 2016 Permalink | Reply

        Hi Mark,

        very good question indeed – but sadly I have no idea how to add mail certificates for more than one domain. I’m not even sure it can be done in Plesk 12.5. I know that in the next version, Plesk Onyx, they’ve implemented a way to manage certificates for mail via the Plesk interface, but if that’s server-wide or per-domain I don’t know.

        Your best bet is to ask one of the very knowledgable people on the Plesk forum: https://talk.plesk.com

        Do let me know if you find out, it’s an interesting one! All the best,

        JAY

    • Arno T 5:51 pm on March 9, 2017 Permalink | Reply

      Yust some extra info and settings on install SSL certs on Centos 7.3 / Plesk 12.5.30#60,
      Using postfix (smtp) & dovecot (pop/imap).

      Postfix # /etc/postfix/main.cf
      smtpd_tls_cert_file = /usr/local/etc/ssl/live/cert.pem
      smtpd_tls_key_file = /usr/local/etc/ssl/live/privkey.pem
      smtpd_tls_CAfile = /usr/local/etc/ssl/live/ca-root-cert.pem

      Dovecot # /etc/dovecot/conf.d/5-custom-ssl.conf
      ssl = yes
      ssl_cert = </usr/local/etc/ssl/live/cert.pem
      ssl_key = </usr/local/etc/ssl/live/privkey.pem
      ssl_ca = </usr/local/etc/ssl/live/ca-root-cert/AddTrustExternalCARoot.crt
      ssl_ca = </usr/local/etc/ssl/live/ca-root-cert/COMODORSAAddTrustCA.crt
      ssl_ca = ./live/ca-root-cert.pem
      cat ./live/ca-root-cert/COMODORSADomainValidationSecureServerCA.crt >> ./live/ca-root-cert.pem
      cat ./live/ca-root-cert/COMODORSAAddTrustCA.crt >> ./live/ca-root-cert.pem
      chmod 444 ./live/ca-root-cert.pem

      Create # ./live/chain.pem
      cat ./live/privkey.pem > ./live/chain.pem
      cat ./live/cert.pem >> ./live/chain.pem

      Hopefully it is useful from some people, because I’ve almost no experience with ssl certs.
      Goodluck, Arno

    • Arno T 5:53 pm on March 9, 2017 Permalink | Reply

      Yust some extra info and settings on install SSL certs on Centos 7.3 / Plesk 12.5.30#60,
      Using postfix (smtp) & dovecot (pop/imap).

      Postfix # /etc/postfix/main.cf
      smtpd_tls_cert_file = /usr/local/etc/ssl/live/cert.pem
      smtpd_tls_key_file = /usr/local/etc/ssl/live/privkey.pem
      smtpd_tls_CAfile = /usr/local/etc/ssl/live/ca-root-cert.pem

      Dovecot # /etc/dovecot/conf.d/5-custom-ssl.conf
      ssl = yes
      ssl_cert = </usr/local/etc/ssl/live/cert.pem
      ssl_key = </usr/local/etc/ssl/live/privkey.pem
      ssl_ca = </usr/local/etc/ssl/live/ca-root-cert/AddTrustExternalCARoot.crt
      ssl_ca = </usr/local/etc/ssl/live/ca-root-cert/COMODORSAAddTrustCA.crt
      ssl_ca = ./live/ca-root-cert.pem
      cat ./live/ca-root-cert/COMODORSADomainValidationSecureServerCA.crt >> ./live/ca-root-cert.pem
      cat ./live/ca-root-cert/COMODORSAAddTrustCA.crt >> ./live/ca-root-cert.pem
      chmod 444 ./live/ca-root-cert.pem

      Create # ./live/chain.pem
      cat ./live/privkey.pem > ./live/chain.pem
      cat ./live/cert.pem >> ./live/chain.pem

      Hopefully it is useful from some people, because I’ve almost no experience with ssl certs.
      Goodluck, Arno
      (repost some got commented out)

c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
shift + esc
cancel