API tools faq
paste
Advertisement
mdelatorre

Configure Lets Encrypt Cert in Postfix

mdelatorre
Sep 28th, 2016
646
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.46 KB | None | 0 0
raw download clone embed print report
  1. Configure Lets Encrypt Cert in Postfix in a RHEL7 server
  2. ============================================================================================
  3.  
  4. 1. Install Apache Web Server
  5. --------------------------------------
  6.  
  7. $ sudo yum groupinstall -y "Web Server"
  8. $ sudo vim /etc/hosts
  9.     - add: 1.2.3.4 host.example.com example.com
  10. $ sudo vim /etc/hostname
  11.     - add: host.example.com
  12. $ sudo vim /etc/httpd/conf/httpd.conf
  13.     - set the ServerName directive in the /etc/httpd/conf/httpd.conf file
  14. $ sudo vim /etc/httpd/conf.d/ssl.conf
  15.     - set the ServerName directive in the /etc/httpd/conf.d/ssl.conf file
  16. $ sudo hostname -f /etc/hostname
  17. $ sudo systemctl enable httpd
  18. $ sudo systemctl start httpd
  19.  
  20. + Open port 80 and 443 in AWS firewall rules in your AWS/EC2 instance console
  21.  
  22. + Make sure you have installed the latest version of OpenSSL in your server.
  23. $ sudo yum update openssl
  24.  
  25. + Tune Apache 2.4 TLS configuration
  26. $ sudo vim /etc/httpd/conf.d/ssl.conf
  27.     - SSLProtocol TLSv1.2
  28.     - SSLHonorCipherOrder On
  29.     - SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:RSA+AESGCM!aNULL:!MD5:!DSS:!LOW:!MEDIUM"
  30.     - Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  31.     - Header always set X-Frame-Options DENY
  32.     - Header always set X-Content-Type-Options nosniff
  33.     # Requires Apache >= 2.4
  34.     - SSLCompression off
  35. $ sudo apachectl restart
  36.  
  37. 2. Install Lets Encrypt CA - CertBot
  38. --------------------------------------
  39.  
  40. $ sudo yum-config-manager --enable rhui-REGION-rhel-server-extras
  41. $ sudo yum-config-manager --enable rhui-REGION-rhel-server-optional
  42. $ sudo yum repolist all
  43. $ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  44. $ sudo rpm -Uvh epel-release-latest-7*.rpm
  45. $ sudo yum install python-certbot-apache
  46. $ sudo certbot --apache
  47.  
  48. + Your certificate and chain have been saved at /etc/letsencrypt/live/<domain>
  49. + Lets encrypt certificates expire 90 days after they were issue.
  50. + To obtain a new or tweaked version of this certificate in the future,
  51.     simply run certbot again with => certbot --apache certonly
  52. + To non-interactively renew *all* of your certificates,
  53.     run with => certbot renew --dry-run
  54. + If that appears to be working correctly, you can arrange for automatic renewal
  55.     by adding a cron or systemd job which runs the
  56.     following => certbot renew --quiet
  57.  
  58. 3. Install Postfix
  59.  
  60. $ sudo yum install postfix
  61. $ sudo /etc/postfix/main.cf
  62.     - myhostname = host2.ite.lat
  63.     - mydomain = ite.lat
  64.     - myorigin = $mydomain
  65.     - inet_interfaces = $myhostname, localhost
  66.     - mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
  67.                       mail.$mydomain, web.$mydomain
  68.     - mynetworks = 127.0.0.0/8, 172.31.42.125, 52.43.65.253, 192.100.230.21
  69.     - smtpd_banner = host ESMTP Sendmail 2.1
  70.     - smtpd_use_tls= yes
  71.     - smtp_use_tls = yes
  72.     - tls_preempt_cipherlist = yes
  73.     - smtpd_tls_security_level = may
  74.     - smtpd_tls_auth_only = yes
  75.     - smtpd_tls_cert_file=/etc/letsencrypt/live/web.ite.lat/fullchain.pem
  76.     - smtpd_tls_key_file=/etc/letsencrypt/live/web.ite.lat/privkey.pem
  77.     - smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
  78.     - smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  79.     - smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  80.     - smtpd_tls_ciphers = high
  81.     - smtpd_tls_mandatory_ciphers = high
  82.     - smtp_tls_ciphers = high
  83.     - smtp_tls_mandatory_ciphers = high
  84.     - tls_high_cipherlist = ECDH+aRSA+AES256:ECDH+aRSA+AES128:AES256-SHA:AES128+EECDH:AES128+EDH
  85.  
  86.  $ sudo postfix stop
  87.  $ sudo postfix start
  88.  
  89. + To run a complete STARTTLS handshake with the MTA do: (optional)
  90.  
  91. $ openssl s_client -connect mail.ite.lat:25 -starttls smtp
  92.  
  93. + You can enable STARTTLS log details with these settings to see which emails are
  94.     sent/received encrypted: (optional for debugging)
  95.  
  96. $ sudo /etc/postfix/main.cf
  97.     - smtp_tls_loglevel = 1
  98.     - smtpd_tls_loglevel = 1
  99.  
  100. + To test your Postfix MTA with SMTP you can use a text user interface MUA for send/receiving email
  101.   and the following online SMTP test tools. (Alpine will be used as the MUA)
  102.  
  103. $ sudo yum install alpine
  104. $ alpine
  105.  
  106.     + Configure Alpine with your MTA info:
  107.     - SETUP (S) -> Config (C)
  108.         - Personal Name         =   Meme delaTower
  109.         - User Domain           =   ite.lat
  110.         - SMTP Server           =   mail.ite.lat
  111.  
  112. + Perform the following test on your secured MTA.
  113.  
  114.     + SMTP receiver test
  115.         - http://www.checktls.com/perl/TestReceiver.pl
  116.     + SMTP sender test
  117.         - http://www.checktls.com/perl/TestSender.pl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!