Secure Email Communication in iRedMail
How is iRedMail configured and what can be changed if needed? Email access through IMAP/POP3 is handled by Dovecot, sending emails through mail submission (SMTP AUTH) by Postfix.
Overview
| Protocol | Plain Text | STARTTLS | SSL/TLS Socket | Initiator |
|---|---|---|---|---|
| SMTP | 25 | 25 | - | MTA |
| Submission | - | 587 | - | MSA |
| POP3 | - | 110 | 995 (POP3S) | MUA |
| IMAP | - | 143 | 993 (IMAPS) | MUA |
IMAP/POP3
iRedMail allows STARTTLS and SSL/TLS Socket connection. Plain text communication is disabled by default for security reason.
STARTTLS
iRedMail enforces STARTTLS on TCP ports 110 & 143. This is configured in /etc/dovecot/dovecot.conf:
ssl = required ... disable_plaintext_auth = yes
Plain Text
iRedMail doesn't recommend to allow plain text communication, me neither. Anyway you could change that in /etc/dovecot/dovecot.conf:
ssl = yes
...
disable_plaintext_auth = no
# or allow only for some selected hosts
ssl = yes
...
disable_plaintext_auth = yes
remote 192.168.0.0/24 {
disable_plaintext_auth = no
}
SSL/TLS Socket Connection
iRedMail allows IMAPS (993) and POP3S (995) communication by default. Personally I prefer this connection for better security.
Submission
iRedMail allows only STARTTLS for email submission on port 587. Plain text communication is disabled by default for security reason. SSL/TLS Socket connection is depreciated and shouldn't be used.
Plain Text
You need plain text submission for some reason? Don't use port 25 or 587! In this example we use port 10587 for plain text submission:
# vi /etc/postfix/master.cf
10587 inet n - n - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
permit_mynetworks,
permit_sasl_authenticated,
reject
# service postfix reload
# telnet localhost 10587
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix (Debian/GNU)
EHLO hello
250-mail.example.com
250-PIPELINING
250-SIZE 15728640
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Firewall: don't forget to allow input/output traffic on port 10587. Check afterwards with telnet from a remote host!
SSL/TLS Socket Connection
If you insist using SSL/TLS Socket Connection for submission on port 465 then this document can help you: Enable SMTPS service (SMTP over SSL, port 465)
SMTP
iRedMail allows Plain Text and STARTTLS communication on port 25 for MTA's. Plain Text is a must as many MTA's are not able to communicate with STARTTLS. Allowing both Plain Text and STARTTLS communication for MTA's is called opportunistic TLS support. If a MTA is configured to use TLS it tries STARTTLS or falls back to Plain Text.
SSL/TLS Certificate
iRedMail installs a self signed certificate. Nothing is wrong with that except users will get annyoing messages about invalid certificate. This happens for IMAP, POP3, Submission and HTTPS and a users must accept this certificate at least once for every service on every device. That's not user friendly...
You get very cheap SSL/TLS certificates on the market and in the near future you even get them for free at letsencrypt.org. One certificate is valid for all iRedMail Services: webserver, postfix and dovecot. Installation is not too difficult: Use a bought SSL certificate.