User Tools

Site Tools


indexes:sasl-dovecot-postfix-ssl

Reason Why

I have for some time wanted to get hold of my private emails through my Nokia E90's embedded email client. I used to use the web interface but that sux on a E90. Instead I wanted to look for a way to use the actual email client on the phone. The email client supports POP3 and IMAP which are fine if you're not traversing a public network (aka The Internet). The two protocols are transmitting username and password in cleartext, and whatever email you read will also be move to the phone in cleartext. I don't want that!! :-)

As a happy OpenVPN user I would have loved to see a Symbian client, that would have made it very easy for me, but that doesn't exist :-(

Luckily the two protocols also has a SSL/TLS wrapped implementation (IMAPS and POP3S) which accomplishes the privacy part of my wishes. The only catch is that this requires certificates. Personally I like certificates very much, they offer a lot of security (correctly implemented of course) and can be used in so many places. This is not shared among many other people though ;-) For that reason I'll try to make it an easy ride as possible.

Word of caution: Don't use this as an enterprise solution, only for your private mail. If you loss your device all material on it will be accessible and in cleartext!!

Components used

I've chosen to use Dovecot as IMAP server and Postfix as my MTA. I'll get back to the Postfix part later.

You could choose to use any other IMAP server only the configuration would be different. Dovecot also has a sasl interface which Postfix can utilize making sending mail even easier.

Certificates

First lets start out by creating a self-signed certificate for dovecot:

openssl req -x509 -days 3650 -newkey rsa:1024 -keyout dovecot.key -nodes -out dovecot.crt

This command creates a self-signed certificate valid for 10 year. The private key (unencrypted) is in the file “dovecot.key” and the certificate is in “dovecot.crt”.

Now for the certificates for Postfix:

openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt

This will create a certificate for Postfix and a CA certificate lasting again 10 years.

For all the certificates it is vital that the common name (CN) is the name of the server you're connecting to. That is if you use a DNS name that is what you type, if you use an IP address that will be your common name.

Dovecot

Now edit dovecot.conf and insert the following to use your newly created certificates:

ssl_cert_file = /etc/dovecot/ssl/dovecot.crt
ssl_key_file = /etc/dovecot/ssl/dovecot.key

I've found out that my 3G provider doesn't allow 993/tcp through so I cannot get access from my phone. You change the port with this setting:

ssl_listen = *:5011

As we want to use SASL through Dovecot you need to insert this:

socket listen {
        client {
          path = /var/spool/postfix/private/auth
          mode = 0660
          user = postfix
          group = postfix
        }
      }

This will enable a SASL interface for Postfix. We need SASL to be able to send mail from the phone. We only allow the Postfix user/daemon to access this interface, but if you like you can remove that restriction and allow other programs access. By using Dovecot as authenticator we can reuse our IMAP user credentials.

Now just reload Dovecot:

sudo invoke-rc.d dovecot restart

Postfix

First we need to TLS enable Postfix. Insert the following in main.cf:

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

We want to be able to relay mail external but not become an open relay (oooh no to many of them already!!). The problem is that the phone is not coming from a known network (mynetworks), so we have authenticate against Postfix before allowing relaying.

This is accomplished by inserting “permit_sasl_authenticated” into “smtpd_recipient_restrictions”:

smtpd_recipient_restrictions =
    ...
    ...
    permit_sasl_authenticated
    permit_mynetworks
    ....

To finish up the TLS configuration insert these lines:

smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

And the final part, to get Postfix to look into dovecot as an SASL authenticator:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

To get it all working bounce Postfix:

sudo invoke-rc.d postfix restart

Configure the Phone

Now all you need to do is point the mail client to your mail server with IMAPS (IMAP with SSL/TLS) and login.

For outgoing mail you point the phone again to the same server and enable authentication. Login is the same as the incoming mail configuration.

The first time you connect the phone complains that the certificate is not trusted. Check the info in the certificate and make sure it corresponds to the info you put in when you created them and accept permanently.

Now you should be able to send and receive mail from you phone.

indexes/sasl-dovecot-postfix-ssl.txt · Last modified: d/m/Y H:i by domingo