完全な仮想メールサーバ/SSL 証明書

This page is a translated version of the page Complete Virtual Mail Server/SSL Certificates and the translation is 43% complete.

Other languages:

はじめに

セキュリティとプライバシーがますます重要な問題となった今、サーバを安全に保つために SSL を使用することは頭を悩ませるような問題ではなくなっているようです。Apache、Courier-imap、そして postfix はどれも、SSL を使用して安全にすることができます。

SSL のインストール

SSL は多くのパッケージにとってコンパイル時オプションの依存になっています。dev-libs/openssl が要であり、ssl USE フラグによってインストールされているはずです。もし以前に設定されていない場合は、フラグを有効化して、それを使用するすべてのパッケージを更新してください:

root #emerge --newuse @world

SNI

単一の IP 上で複数のドメインを使用するときに発生する問題がいくつかあります。Apache は、単一 IP 上に複数の証明書を持たせることができる SNI を使用することで、この問題を解決しています。ただし、ブラウザとサーバの両方がこれに対応している必要があります。IMAP も (POP3 も) SMTP も、これにあまり対応しているとは言えません。単一 IP 上で複数のホストに対応する唯一の方法は、すべてのドメインをカバーする証明書を持たせることです。美しくはありませんが、機能はします。

SSL 証明書の取得

There are currently 2 and a half ways to obtain an SSL certificate. Purchase a certificate from one of the reputable providers is an option. Using a self-signed certificate can also be done, though may have implications with warnings on users clients. The half option, which is the recommended option when not using a bought certificate is using a certificate from cacert.org. They are working hard on getting their certificate included into the main browsers and operating systems, but most of all, it is free and gratis.

自己署名

多くのアプリケーションは自己署名の証明書をあらかじめ生成し、/etc/ssl にインストールすることがよくあります。新しい自己署名証明書は OpenSSL を使用して簡単に作成することができます:

root #mkdir -p /etc/ssl/postfix/

root #cd /etc/ssl/postfix/

root #/etc/ssl/misc/CA.pl -newca

root #/etc/ssl/misc/CA.pl -newreq-nodes

root #/etc/ssl/misc/CA.pl -sign

This should have created three files: /etc/ssl/postfix/newkey.pem, /etc/ssl/postfix/newreq.pem, /etc/ssl/postfix/newcert.pem and it's accompanying CA Root certificate /etc/ssl/postfix/demoCA/cacert.pem. It is probably advised to rename them to something more logical.

CACert.org による署名

CACert.org offers a simple script to assist with generating SSL certificates. The csr script should be downloaded and executed. In this example, the mail server will be called imap but will have aliases configured in DNS for mail, pop, pop3, pop3s, imaps and foo. More can be added of course as fit. Note that foo was added because that is the name of the system offering the imap service. It is not named foo because the postfix or web or any other server is named foo.

user $sh csr

Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org
 
Short Hostname (ie. imap big_srv www2): foo
FQDN/CommonName (ie. www.example.com) : foo.example.com
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:mail.example.com
SubjectAltName: DNS:smtp.example.com
SubjectAltName: DNS:smtps.example.com
SubjectAltName: DNS:imap.example.com
SubjectAltName: DNS:imaps.example.com
SubjectAltName: DNS:pop.example.com
SubjectAltName: DNS:pop3.example.com
SubjectAltName: DNS:pop3s.example.com
SubjectAltName: DNS:mail.example.net
SubjectAltName: DNS:imap.example.net
SubjectAltName: DNS:imaps.example.net
SubjectAltName: DNS:pop.example.net
SubjectAltName: DNS:pop3.example.net
SubjectAltName: DNS:pop3s.example.net
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key
.................+++
..................................+++
writing new private key to '/root/imap.example.com_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like foo.example.com_server.pem
 
-----BEGIN CERTIFICATE REQUEST-----
MIIDHTsdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfsdfasdf
<snip>
asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfpyqT
-----END CERTIFICATE REQUEST-----
 
 
The Certificate request is also available in /root/foo_csr.pem
The Private Key is stored in /root/foo_privatekey.pem

This has generated a certificate sign request, which can be used by any root CA to sign with, not only CACert.org. In the case of CACert.org however, under Server Certificates there is a link named New which opens an edit box for the above certificate request. The bit including -----BEGIN CERTIFICATE REQUEST----- until, including -----END CERTIFICATE REQUEST----- needs to be pasted into the edit field and then submitted via the submit button. The server will then verify the request and upon that generate the certificate. The certificate then needs to be copied and pasted, including the BEGIN and END markers again into a new file, named foo.example.com_crt.pem. A link to the certificate will also be e-mailed to the e-mail address bound to the ca-cert.org account.

root #cat > foo.example.com_crt.pem

-----BEGIN CERTIFICATE-----
MIIGhzClkjhlkjhlkjhkljhkljhkljhkljhkljhkljhlkjhkljhkljhlkjhkljhk
<snip>
kljhlkjhkljhlkjhlkjhlkjhkljhkljhlkjhlkjhkljhk==
-----END CERTIFICATE-----

This should leave 3 files, foo.example.com_[privatekey, csr, crt].pem. This will also be the naming convention followed during the rest of this document.

メモ
Before requesting a certificate an account must be created on CAcert website. Once logged in, the domain name for the certificate must be registered. After the registration is completed, the certificate request can be pasted in the Server Certificates (New) page.

Apache

Setting up Apache is already very well described elsewhere and yields a working SSL enabled webserver. Postfixadmin, if used externally, should ideally be secured such that it only works over https. Roundcube or webmail in general, can also be setup to be secured by SSL, but should or can be still open to plain HTTP.

Roundcube has one nice option for this however, to force all incoming requests over HTTPS. This means that when a users opens http://webmail.example.com, he will get immediately redirected to https://webmail.example.com. If using a proper SSL certificate this is strongly recommended. When using a self-signed certificate, or a CA-cert.org certificate that does not have the root installed to all users, this should remain off however.

ファイル /var/www/webmail.example.com/htdocs/roundcube/config/main.inc.phphttps を強制する

$rcmail_config['force_https'] = true;

Courier-imap

If anything, securing IMAP with SSL is extremely recommended. Using a secure connection for IMAP, means that if the password is sent in plain text, this is still done over the secured IMAP connection so no security issue comes up.

自己署名証明書の作成

Courier-imap comes with two easy scripts to generate self-signed SSL certificates, mkpop3dcert and mkimapdcert. These scripts parse /etc/courier-imap/pop3d.cnf and /etc/courier-imap/imapd.cnf respectively. It may be an idea to first use self-signed certificates and then swap those out for signed certificates as it can make testing a little bit easier. If self-signed certificates are a must, edit the aforementioned files, otherwise the defaults will suffice.

root #mkpop3dcert

root #mkimapdcert

警告
Currently, as mentioned in gentoo bug #251047, config files use an incorrect format and thus an error may occur. See the bug for more details.

メモ
The two generated certificates are named /etc/courier-imap/pop3d.pem and /etc/courier-imap/imapd.pem. If self-signed certificates are insisted upon, the default paths in the config files pointing to these files should be checked as mentioned below.

CACert.org の証明書を用いる

The mkimapdcert script creates a self-signed certificate and combines them into one file as Courier-imap does actually not use the three separate files as most applications do and needs them specially formatted.

The file starts with the private key.

メモ
If no courier-imap directory exists in /etc/ssl, it needs to be manually created.

root #mkdir -p /etc/ssl/courier-imap/

root #cat foo.example.com_privatekey.pem > /etc/ssl/courier-imap/foo.example.com.pem

This then is followed by the signed certificate:

root #cat foo.example.com_crt.pem >> /etc/ssl/courier-imap/foo.example.com.pem

And to the end, Diffie-Hellman parameters are added:

root #openssl gendh 1024 >> /etc/ssl/courier-imap/foo.example.com.pem

The resulting file should have a contents like this:

ファイル /etc/ssl/courier-imap/foo.example.com.pemimap certificate

SSL の設定

As noted above, the certificate entails both pop3 as imap hostnames and it is thus assumed pop3 and imap are running on the same IP/host. This is not required however, pop3 could be very well a different machine with the same (not advised) or its own certificate.

POP3

ファイル /etc/courier-imap/pop3d-sslConfigure certificate

##NAME: POP3DSSLSTART:0
POP3DSSLSTART=YES
 
##NAME: TLS_CERTFILE:0
TLS_CERTFILE=/etc/ssl/courier-imap/foo.example.com.pem

Starting this server should allow pop3 to work through SSL:

root #/etc/init.d/courier-pop3d-ssl restart

IMAP

ファイル /etc/courier-imap/imapd-sslConfigure certificate

##NAME: IMAPDSSLSTART:0
IMAPDSSLSTART=YES
 
##NAME: TLS_CERTFILE:0
TLS_CERTFILE=/etc/ssl/courier-imap/foo.example.com.pem

Starting this server should allow imap to work through SSL:

root #/etc/init.d/courier-imapd-ssl restart

Testing SSL

Testing becomes more difficult, as telnet can not be used anymore. The best option is to start up a mail-client such as thunderbird, configure a normal connection first to verify everything works, which should as telnet worked properly before and then enable the SSL option for the account and see if it is still working. The default imap-ssl port is 993. STARTTLS can be checked whether it is enabled only, via telnet, by checking for the STARTTLS Capability.

メモ
Some email clients are not complete in the TLS implementation, to help these clients out you can change the value of TLS_STARTTLS_PROTOCOL in /etc/courier-imap/imapd-ssl from TLS1 to SSL3.

If SSL secured services now work as expected, they can be added to the default runlevel:

root #rc-update add courier-pop3d-ssl default

root #rc-update add courier-imapd-ssl default

メモ
As mentioned before, only add pop3 if it is really needed.

Securing SMTP with SSL

The certificates for use with postfix should be stored in /etc/ssl/postfix/ or if using the same certificates as with courier-imap they should be stored in /etc/ssl/postfix/. If using CACert.org, then its root certificate needs to be used. Gentoo pre-installs the CACert.org root certificate and should be used.

ファイル /etc/postfix/main.cfCertificate configuration for SMTP

# SSL Authentication
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 3
smtpd_tls_key_file = /etc/ssl/postfix/foo.example.com_privatekey.pem
smtpd_tls_cert_file = /etc/ssl/postfix/foo.example.com_crt.pem
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org_root.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

メモ
For debugging purposes smtpd_tls_loglevel has been increased to 3. Also smtpd_tls_auth_only # no means users (and webmail) can still log in insecurely. Putting this option to yes forces all clients to use only authenticated connections.

メモ
The CaCert file is renamed in /etc/ssl/certs/cacert.org_root.pem, it used to be named as /etc/ssl/certs/cacert.org.pem.

Now STARTTLS can be used to use an authenticated connection over port 25. SSL/TLS support on port 465 (smtps) however should be enabled as well. Courier-imap did this automatically, postfix needs a change to master.cf:

ファイル /etc/postfix/master.cfEnable smtps support

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes

Restart postfix to start the SSL secured daemons:

root #/etc/init.d/postfix restart

テスト

Telnet can only be minimally used for testing. Actually it can only be used to verify supported options. STARTTLS should be listed as one of the supported options:

user $telnet foo.example.com 25

220 foo.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

To test if all connections work as wanted, a recent version of Thunderbird works best. When adding a new account, Thunderbird will try to connect using STARTTLS on the default port. If that would fail, or if a manual connection is tried, it's possible to use SSL/TLS via the 993 and 465 ports and hit the re-test button. This should allow the account to be created using secure connections.

Securing server-to-server connections

Postfix can try to use secure connections for sending mails to other SMTP servers. Although it may not be supported by all servers, it makes sense to activate it.

ファイル /etc/postfix/main.cfTry to use TLS for transferring mails

# Enable TLS for sending mails if supported by other server
smtp_tls_security_level = may
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 3

メモ
For debugging purposes smtp_tls_loglevel has been increased to 3. smtp_tls_security_level can be set to "encrypt" to only send mails over TLS connections. But this is not recommended, because many mail servers on the internet do not support TLS at all or are not compatible.

Restart postfix afterwards:

root #/etc/init.d/postfix restart

To test if it works, a mail can be sent to an address, which uses a server that supports TLS. The log should then contain a line like this:

user $tail -n 10 /var/log/mail/mailinfo.log

...
postfix/smtp[15209]: Trusted TLS connection established to mx.example.com[x.x.x.x]:25: TLSv1 with cipher AES256-SHA (256/256 bits)
...

Wrapping it up

Once everything is working as expected, logging can be disabled again:

ファイル /etc/postfix/main.cfログ出力を無効化する

smtpd_tls_loglevel = 0
smtp_tls_loglevel = 0