Advertisement
mdelatorre

Configure Lets Encrypt Cert in Postfix

Sep 28th, 2016
648
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.46 KB | None | 0 0
  1. Configure Lets Encrypt Cert in Postfix in a RHEL7 server
  2. ============================================================================================
  3.  
  4. 1. Install Apache Web Server
  5. --------------------------------------
  6.  
  7. $ sudo yum groupinstall -y "Web Server"
  8. $ sudo vim /etc/hosts
  9.     - add: 1.2.3.4 host.example.com example.com
  10. $ sudo vim /etc/hostname
  11.     - add: host.example.com
  12. $ sudo vim /etc/httpd/conf/httpd.conf
  13.     - set the ServerName directive in the /etc/httpd/conf/httpd.conf file
  14. $ sudo vim /etc/httpd/conf.d/ssl.conf
  15.     - set the ServerName directive in the /etc/httpd/conf.d/ssl.conf file
  16. $ sudo hostname -f /etc/hostname
  17. $ sudo systemctl enable httpd
  18. $ sudo systemctl start httpd
  19.  
  20. + Open port 80 and 443 in AWS firewall rules in your AWS/EC2 instance console
  21.  
  22. + Make sure you have installed the latest version of OpenSSL in your server.
  23. $ sudo yum update openssl
  24.  
  25. + Tune Apache 2.4 TLS configuration
  26. $ sudo vim /etc/httpd/conf.d/ssl.conf
  27.     - SSLProtocol TLSv1.2
  28.     - SSLHonorCipherOrder On
  29.     - SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:RSA+AESGCM!aNULL:!MD5:!DSS:!LOW:!MEDIUM"
  30.     - Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  31.     - Header always set X-Frame-Options DENY
  32.     - Header always set X-Content-Type-Options nosniff
  33.     # Requires Apache >= 2.4
  34.     - SSLCompression off
  35. $ sudo apachectl restart
  36.  
  37. 2. Install Lets Encrypt CA - CertBot
  38. --------------------------------------
  39.  
  40. $ sudo yum-config-manager --enable rhui-REGION-rhel-server-extras
  41. $ sudo yum-config-manager --enable rhui-REGION-rhel-server-optional
  42. $ sudo yum repolist all
  43. $ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  44. $ sudo rpm -Uvh epel-release-latest-7*.rpm
  45. $ sudo yum install python-certbot-apache
  46. $ sudo certbot --apache
  47.  
  48. + Your certificate and chain have been saved at /etc/letsencrypt/live/<domain>
  49. + Lets encrypt certificates expire 90 days after they were issue.
  50. + To obtain a new or tweaked version of this certificate in the future,
  51.     simply run certbot again with => certbot --apache certonly
  52. + To non-interactively renew *all* of your certificates,
  53.     run with => certbot renew --dry-run
  54. + If that appears to be working correctly, you can arrange for automatic renewal
  55.     by adding a cron or systemd job which runs the
  56.     following => certbot renew --quiet
  57.  
  58. 3. Install Postfix
  59.  
  60. $ sudo yum install postfix
  61. $ sudo /etc/postfix/main.cf
  62.     - myhostname = host2.ite.lat
  63.     - mydomain = ite.lat
  64.     - myorigin = $mydomain
  65.     - inet_interfaces = $myhostname, localhost
  66.     - mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
  67.                       mail.$mydomain, web.$mydomain
  68.     - mynetworks = 127.0.0.0/8, 172.31.42.125, 52.43.65.253, 192.100.230.21
  69.     - smtpd_banner = host ESMTP Sendmail 2.1
  70.     - smtpd_use_tls= yes
  71.     - smtp_use_tls = yes
  72.     - tls_preempt_cipherlist = yes
  73.     - smtpd_tls_security_level = may
  74.     - smtpd_tls_auth_only = yes
  75.     - smtpd_tls_cert_file=/etc/letsencrypt/live/web.ite.lat/fullchain.pem
  76.     - smtpd_tls_key_file=/etc/letsencrypt/live/web.ite.lat/privkey.pem
  77.     - smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
  78.     - smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  79.     - smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  80.     - smtpd_tls_ciphers = high
  81.     - smtpd_tls_mandatory_ciphers = high
  82.     - smtp_tls_ciphers = high
  83.     - smtp_tls_mandatory_ciphers = high
  84.     - tls_high_cipherlist = ECDH+aRSA+AES256:ECDH+aRSA+AES128:AES256-SHA:AES128+EECDH:AES128+EDH
  85.  
  86.  $ sudo postfix stop
  87.  $ sudo postfix start
  88.  
  89. + To run a complete STARTTLS handshake with the MTA do: (optional)
  90.  
  91. $ openssl s_client -connect mail.ite.lat:25 -starttls smtp
  92.  
  93. + You can enable STARTTLS log details with these settings to see which emails are
  94.     sent/received encrypted: (optional for debugging)
  95.  
  96. $ sudo /etc/postfix/main.cf
  97.     - smtp_tls_loglevel = 1
  98.     - smtpd_tls_loglevel = 1
  99.  
  100. + To test your Postfix MTA with SMTP you can use a text user interface MUA for send/receiving email
  101.   and the following online SMTP test tools. (Alpine will be used as the MUA)
  102.  
  103. $ sudo yum install alpine
  104. $ alpine
  105.  
  106.     + Configure Alpine with your MTA info:
  107.     - SETUP (S) -> Config (C)
  108.         - Personal Name         =   Meme delaTower
  109.         - User Domain           =   ite.lat
  110.         - SMTP Server           =   mail.ite.lat
  111.  
  112. + Perform the following test on your secured MTA.
  113.  
  114.     + SMTP receiver test
  115.         - http://www.checktls.com/perl/TestReceiver.pl
  116.     + SMTP sender test
  117.         - http://www.checktls.com/perl/TestSender.pl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement