Debian User Forums

[kedaha]

For my email system I'm currently using self-signed certificates. In spite of this, email works perfectly but I have also configured spf, dkim and dmarc, not without a lot of trial and error, I might add.

Although I'm not satisfied with the self-signed certificate neither do I wish to acquire paid certificates. For my domains I use Letsencrypt certificates; I've also tried to use them for my email but afterwards, although they seem to work and are recognised elsewhere, I've been unable to connect to the database on login to both Round Cube and Squirrelmail; but that's another story.

Another option is to use a self-signed certificate with its own public key infrastructure (PKI) by means of the easy-rsa package. Either that or use CAcert.

I think I'll never spend my hard-earned money on a paid certificate but I'd very much like to hear your comments, whether you use paid or unpaid certificates, about the Email Certificate business and certificates for domains.

Thank you.

[reinob]

For my email system I'm currently using self-signed certificates. In spite of this, email works perfectly but I have also configured spf, dkim and dmarc, not without a lot of trial and error, I might add.

Although I'm not satisfied with the self-signed certificate neither do I wish to acquire paid certificates. For my domains I use Letsencrypt certificates; I've also tried to use them for my email but afterwards, although they seem to work and are recognised elsewhere, I've been unable to connect to the database on login to both Round Cube and Squirrelmail; but that's another story.

Another option is to use a self-signed certificate with its own public key infrastructure (PKI) by means of the easy-rsa package. Either that or use CAcert.

I think I'll never spend my hard-earned money on a paid certificate but I'd very much like to hear your comments, whether you use paid or unpaid certificates, about the Email Certificate business and certificates for domains.

Thank you.

I use letsencrypt for my two domains (plus a number of subdomains) with apache, dovecot, postfix and the znc irc bouncer. I'm pretty happy with and all works like a charm.

[kedaha]

I use letsencrypt for my two domains (plus a number of subdomains) with apache, dovecot, postfix and the znc irc bouncer. I'm pretty happy with and all works like a charm.

Hi reinob. How did you do the apache, dovecot and postfix part? I've found what looks like a good recipe for my set up here.

[reinob]

@kedaha,

In Apache (at each of the virtual host definitions, here the example with "bbmk.org")

Code: Select all

      SSLCertificateFile      /etc/letsencrypt/live/bbmk.org/fullchain.pem
      SSLCertificateKeyFile   /etc/letsencrypt/live/bbmk.org/privkey.pem


In Dovecot (also for bbmk.org):

Code: Select all

ssl_cert = </etc/letsencrypt/live/bbmk.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/bbmk.org/privkey.pem


In Postfix (main.cf, also for bbmk.org):

Code: Select all

smtp_tls_cert_file=/etc/letsencrypt/live/bbmk.org/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/bbmk.org/privkey.pem

smtpd_tls_cert_file=/etc/letsencrypt/live/bbmk.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/bbmk.org/privkey.pem


The rest is just making sure that letsencrypt (certbot) runs once or twice every day..
In my case the cronjob does:

Code: Select all

certbot -q renew --post-hook /root/bin/letsencrypt-renewal.hook


The hook script does:

Code: Select all

#!/bin/sh
/usr/sbin/apache2ctl graceful
/usr/sbin/dovecot reload
/usr/sbin/postfix reload


(it also does the ZNC part, which is a bit trickier and not relevant here)

I hope this helps. If you need help with the actual running of certbot to renew the certificates (I use the apache method but without letting it touch the configuration, I prefer to do it myself -- see above).

Cheers.

[kedaha]

Many thanks reinob, and especially for the cronjob bit; I've just tried it at one of those sites checktls.com that checks email certificates and in Thunderbird; it works perfectly.

I had entered the configuration in dovecot and postfix before but was then unable to access my email in either roundcube or squirrelmail but I'd simply forgotten to put my own domain name in one of the paths but comparing it with the configuration you posted I saw the omission.

When Letsencrypt first came out, I read that it wasn't for email but evidently it does the job OK.

Cheers!!

[kedaha]

Finally, the problem is solved of how to use a Letsencrypt (LE) certificate for both a webserver and mail server with SSL on the same machine, with only one IP address. If you use a LE certificate for a virtual domain website, this would be incompatible with using a self-issued certificate for the email server on the same host, but I finally got ssl working after finding a definitive configuration at lets-encrypt-postfix-and-dovecot; except that my configuration contains a very small change from the one given for dovecot there.

Code: Select all

# don't allow non-TLS connections for IMAP or SASL
ssl = required
disable_plaintext_auth = yes
 
# path to the certificate file, should be root:root and 0444
ssl_cert = </etc/letsencrypt/live/example.com-0001/fullchain.pem
 
# path to the private key file, should be root:root and 0400
ssl_key = </etc/letsencrypt/live/example.com-0001/privkey.pem

I incorporated the configuration from the referenced howto to /etc/postfix/main.cf.
The result is brilliant; emails can now be sent, for example to gmail without them appearing as unencrypted with a red padlock icon thanks to Letsencrypt! However —unless I can find a workaround—I can at present only use Letsencrypt for my primary domain web site, which is itself a virtual domain, and the email for this domain because it's named first in the LE certificate (which includes all the others). So an email sent from the other virtual domains goes unencrypted. However, since the main website and email were for work, the main problem is solved; who wants buy an expensive licence from a certificate authority? I certainly don't.

[kedaha]

Mission accomplished! Even though more configuration was needed. I thought it would only work for my primary domain but I've solved my problem of making one LE certificate valid for multiple virtual hosts in /var/www/ (domains), sharing only one IP address on a dedicated server which doubles as a web server by using the Letsencrypt command like this:

Code: Select all

# certbot certonly --webroot -w /var/www/letsencrypt/ -d example.com -d www.example.net -d example.org

But I simulated it first with:

Code: Select all

# certbot certonly --dry-run --expand --webroot -w /var/www/letsencrypt/ -d example.com -d www.example.net -d example.org

Note that the directory which I named "letsencrypt" could have any name. But it's not quite so simple as just running a command; it was also necessary to configure apache for the "well-known acme challenge" otherwise the above commands fail. And if you've already set up letsencrypt another way, then the resulting certificate won't work with the other domains in virtual hosts; at least that was my experience.

To conclude:

1. Can Letsencrypt (LE) certificates be used for sending email? The answer is, they can for TLS - standard encryption. See, for example Email encryption in transit for a summary.

2. Can LE certificates be used for email originating from multiple virtual hosts like: example.com, example.org, example.net with only ONE IP address? Again, the answer is yes.

When I set up an email system on a my dedicated server, I certainly had many doubts as to whether this was in fact possible, especially when emails got flagged on receipt by gmail with the garish, open red padlock meaning no encryption, which was annoying and doesn't exactly inspire confidence when used for business. Similarly, when entering account details in Thunderbird, up came a dissuasive pop-up against using such an insecure account too.

But now, using Letsencrypt, at least emails are hailed with a small, dull grey padlock for standard encryption when received by a gmail account while the prettier, green padlock, is reserved for S/MIME enhanced encryption. And Thunderbird also accepts the LE Certificate OK.

I hope this post makes it clear that one LE certificate works for both a web server and an email server with multiple virtual hosts on the same machine sharing only one IP address. I too had read a lot of confusing contradictory documentation and forum posts but was fortunate to come across this howto: lets-encrypt-postfix-and-dovecot, and also csware's post at github.com/diafygi/acme-tiny/issues/79 and subsequent comments.

...if one put this outside a virtualhost (e.g., in /etc/apache2/conf-enabled/le.conf on debian), it can be used as a single location for ALL virtual hosts

Quod erat demonstrandum: So I did exactly that, i.e, put the definition in /etc/apache2/conf-enabled/le.conf, ran a2enconf and indeed "it can be used as a single location for ALL virtual hosts." It worked!

Finally, I might add that the question whether to use a no-cost LE certificate or a paid one is a no-brainer; standard encryption seems good enough to me; the only other alternatives are either self-issued or CAcert's. But it's a shame that isn't even recognised in Firefox.without the rigmarole of importing it into the browser.

Thank you for reading this

[kedaha]

An update to my rather lengthy topic, which I hope may be of interest even to users who haven't set up their own mail server.

OK. So with everything set up properly, not only the certificate from letsencrypt (LE), 100% according to, for example, checktls.com, which outputs the following (where I've substituted illustrative domain names and shortened the list).

Code: Select all

[000.127]       Connected to server
[000.430]    <--     220 server.example.com ESMTP Postfix (Debian/GNU)
[000.431]       We are allowed to connect
[000.431]     -->    EHLO checktls.com
[000.555]    <--     250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.555]       We can use this server
[000.555]       TLS is an option on this server
[000.555]     -->    STARTTLS
[000.677]    <--     220 2.0.0 Ready to start TLS
[000.677]       STARTTLS command works on this server
[000.945]       SSLVersion in use: TLSv1.2
[000.945]       Cipher in use: ECDHE-RSA-AES128-SHA256
[000.945]       Connection converted to SSL
[000.949]       

Certificate 1 of 3 in chain:
serialNumber= xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:x
subject= /CN=example.com
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

[000.950]       

Certificate 2 of 3 in chain:
serialNumber= xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:x
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3

[000.951]       

Certificate 3 of 3 in chain:
serialNumber= xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:x
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3

[000.952]       Cert VALIDATED:
[000.952]       Cert Hostname VERIFIED (example.com = example.com | DNS:example.net | DNS:example.com | DNS:example.org [blahblahblah])
[000.952]     ~~>    EHLO checktls.com
[001.075]    <~~     250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[001.075]       TLS successfully started on this server
[001.075]     ~~>    MAIL FROM:<test@checktls.com>
[001.208]    <~~     250 2.1.0 Ok
[001.208]       Sender is OK
[001.209]     ~~>    RCPT TO:<user@example.com>
[001.341]    <~~     250 2.1.5 Ok
[001.341]       Recipient OK, email address proofed
[001.341]     ~~>    QUIT
[001.462]    <~~     221 2.0.0 Bye

All very fine and dandy. However, not so when an email is sent to a hotmail account when it gets blocked immediately. The undelivered message returns:

This is the mail system at host server.example.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<recipient@hotmail.com>: host
hotmail-com.olc.protection.outlook.com[104.44.194.234] said: 550 SC-001
(SNT004-MC8F2) Unfortunately, messages from xx.xxx.xxx.xxx weren't sent.
Please contact your Internet service provider since part of their network
is on our block list. You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL
FROM command)
Reporting-MTA: dns; server.example.com
X-Postfix-Queue-ID: XXXXXXXXXXX
X-Postfix-Sender: rfc822; user@example.com
Arrival-Date: Wed, 6 Sep 2017 23:18:04 +0200 (CEST)

Final-Recipient: rfc822; recipient@hotmail.com
Original-Recipient: rfc822;recipient@hotmail.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 SC-001 (SNT004-MC8F2) Unfortunately, messages from
xx.xxxx.xxx.xxx weren't sent. Please contact your Internet service provider
since part of their network is on our block list. You can also refer your
provider to http://mail.live.com/mail/troubleshooting.aspx#errors.

No such problems with gmail, and I've yet to try others like yahoo.
The server IP is not on any blacklists.
So I fired up my seldom-used "Windows 7" configured "Outlook" to use my emails, What I got was this:

The Certificate may be relied upon by Relying Parties and only in accordance with the Certificates Policy found at https://letsencrypt.org/repository

I was able to configure Outlook to use the email addresses but again, it was not possible to send an email to the hotmail address when it was blocked with a message similar to the above being generated.

Everywhere one sees unsecured email being used no doubt because people don't wish to fork out money for email certificates from existing providers.

There is, in my opinion, no point in contacting hotmail about this because, while email secured not only with Letsencrypt but also spf, dkim and dmarc gets blocked, no doubt much unsecured email does not.

The problem is that, if an email account secured with LE is used, for example, for customers with a hotmail account, then they cannot even receive replies to emails which they have sent.

Does this mean that one must therefore purchase an expensive security certificate? If you have customers who use hotmail accounts, then it looks like there's no choice unless it's clearly explained that they are blocked from receiving your email.

Email validated with spf, dkim and dmarc, which is more than enough to secure delivery, one might conclude, is cynically blocked because it has a free certificate which doesn't cost money. One hopes this is not the case.

For the love of money is the root of all evil

Thank you for reading.

[reinob]

Microsoft (and others as well) don't like it when a new random e-mail server (no reputation) talks to them. You can see that from the error code you got (550 SC-001): "Emails rejected by Outlook.com for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation. If you are not an email/network admin please contact your Email/Internet Service Provider for help."

I've been through that (using a VPS with a fixed IP) and I don't recommend it. It takes time to build a "reputation" :)

For Microsoft, you need to join the Junk Mail Reporting Program (JMRP), which means you have to give some details about your server and sign a contract forcing you to deal with e-mails having been sent from your server to an outlook address and being marked as spam by users of outlook.

AFAIK I also had to do a similar dance with yahoo, freenet and possibly comcast as well.

It's a pity, but understandable, that because of spam e-mail is being concentrated on a few big players and the advantages of running your own e-mail server must be weighed against this.

This is however now off-topic within the off-topic TLS/SSL topic.
Google around, and if you need further help, please post here (or make a new topic in this area) and I'll try to go through the process.

[dilberts_left_nut]

The problem is that, if an email account secured with LE is used, for example, for customers with a hotmail account, then they cannot even receive replies to emails which they have sent.

Does this mean that one must therefore purchase an expensive security certificate? If you have customers who use hotmail accounts, then it looks like there's no choice unless it's clearly explained that they are blocked from receiving your email.

Email validated with spf, dkim and dmarc, which is more than enough to secure delivery, one might conclude, is cynically blocked because it has a free certificate which doesn't cost money. One hopes this is not the case.

It's probably just that the IP of your server isn't on their (own) list of addresses that they will receive mail from ("home server"? or a VPS in a "consumer" block?).

If you don't pass that test, the rest don't matter.

[kedaha]

Thanks again reinob for your reply. I thought I'd reached my target but now I see there are still obstacles. I wonder though why gmail accepts LE certificates; could this be because they back LE? I'll see what I can do. I'm not using a VPS but a small, inexpensive dedicated server with one static IP. It's a hobby but now I'd like to use it as part of my business. The LE certificate is fine for the website and works beautifully with all multiple domains but I can't afford to possibly lose any customers because they have a hotmail account. But there again, if I eventually get a paid certificate I think this might interfere with the LE one because both mail server and web server share the same IP. On principle wish to use LE not only to economize but because I support the project.
Thanks dilberts_l_n.
It's not a home server or VPS but a dedicated server with its own IP so I suppose in effect it's a sort of miniature, or rather, microscopic Internet service provider but I suspected that there'd be issues with the LE certificate. I think the email is not rejected as spam; I don't see how it could be rejected as spam when it has all three validation mechanisms in addition to the LE certificate and I've only sent a few emails. It's being blocked, in my view, because that's their policy which maybe is like the eucalyptus tree which doesn't tolerate other plant life in the area.

[dilberts_left_nut]

Your cert is irrelevant, as it's not used when sending mail, only to identify your server to SMTP clients and encrypt INCOMING traffic.

You are successfully making the SMTP connection to the hotmail server, (which is likely in plain text anyway, unless you've configured your SMTP client to use TLS) and subsequently getting the SMTP session rejected due to their (arbitrary) policies.

[reinob]

+1 for dilberts_left_nut above.

Maybe I'd just add: it doesn't make a difference (and there is none, really) whether you call your computer "home server" or "dedicated server" or "VPS" or "NAS" or whatever.

What matters is that big e-mail providers only want to deal with other big e-mail providers (i.e. who have "reputation"). It is a crude, simple, unfair yet effective way of reducing spam. Like blocking incoming mails from IPs considered to be dynamic.

So if you want to "play with the big boys" you have to play by their rules.

On top of that, you need to make sure that SPF, DKIM, DMARC and possibly use of SSL/TLS is properly in-place. These you have already taken care of. Now you need to deal with non-technical matters.

Note also that SSL/TLS on the smtp client side (port 25, i.e. server-to-server and not submission (587)) should always be a best-effort matter (encouraged but not enforced). Furthermore, certificates on server-to-server communications are usually not checked in detail. Even the default postfix configuration merely uses a self-signed ("snake-oil") certificate, which all (most?) servers in the world accept just fine.

I hope this (further) clarifies your issues!
Cheers and good luck.

[kedaha]

Your cert is irrelevant, as it's not used when sending mail, only to identify your server to SMTP clients and encrypt INCOMING traffic.

You are successfully making the SMTP connection to the hotmail server, (which is likely in plain text anyway, unless you've configured your SMTP client to use TLS) and subsequently getting the SMTP session rejected due to their (arbitrary) policies.

That's right; the SMPT connection's is configured to use TLS (STARTTLS), port 587
Thank you and reinob for the clarifications which are most helpful. Now that the system is up and running I can sit back a bit and study how it all works. I'll be studying all this over the next few days.

I can't help wondering though why paid certificates are so pricey...I suppose the idea is to pass the price on to the customer.

Cheers!

[reinob]

I can't help wondering though why paid certificates are so pricey...I suppose the idea is to pass the price on to the customer.

There's still a market, and a raison d'être, for expensive certificates, namely extended validation (EV) certificates, which also prove the identity of the certificate holder. They require, per definition, manual and thorough checking (at least I hope so! :), which justifies their price.

For standard letsencrypt-like certificates I can understand that running the infrastructure plus personnel, etc. means that it will necessarily cost *something*, plus whatever they want to win on top.

Letsencrypt is only free because it's sponsored by big companies. But this could change (they do keep asking for donations..).

Cheers.