Question How to get Postfix and Dovecot on SSL for multiple domains

[octet]

Hi guys,

I've been trying to get the Postfix and Dovecot work on SSL, following various HowTos posted here on the forum, using the input from HERE:

Thought it's best to start my own post, hopefully we can get a proper easy to follow tutorial on how to get this working.

So, I've chosen 1 domain to work with, once that works fine I will replicate for the other domains.

Let's start with my current config files:

master.cf

cleanup   unix  n       -       n       -       0       cleanup
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib64/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
pickup fifo n - n 60 1 pickup
plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db
qmgr fifo n - n 1 1 qmgr

##########
# spam/virus section - SAGATOR
127.0.0.1:26 inet n - n - 30 smtpd
    -o content_filter=
    -o myhostname=localhost
    -o local_recipient_maps=  -o relay_recipient_maps=
    -o mynetworks=127.0.0.0/8  -o mynetworks_style=host
    -o smtpd_restriction_classes=  -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=  -o smtpd_sender_restrictions=
    -o smtpd_data_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_use_tls=no

#smtp inet n - n - - smtpd
localhost:smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/fullchain.pem
    -o smtp_helo_name=cherciu.com
    -o myhostname=mail.cherciu.com
176.31.159.99:smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/fullchain.pem
    -o smtp_helo_name=cherciu.com
    -o myhostname=mail.cherciu.com

# smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
localhost:smtps   inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/fullchain.pem
    -o smtp_helo_name=cherciu.com
    -o myhostname=mail.cherciu.com
176.31.159.99:smtps   inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/fullchain.pem
    -o smtp_helo_name=cherciu.com
    -o myhostname=mail.cherciu.com

#submission inet n       -       n       -       -       smtpd
localhost:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/fullchain.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
    -o smtp_helo_name=cherciu.com
    -o myhostname=mail.cherciu.com
176.31.159.99:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/fullchain.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
    -o smtp_helo_name=cherciu.com
    -o myhostname=mail.cherciu.com

#plesk-cherciu.com-176.31.159.99- unix - n n - - smtp -o smtp_bind_address=176.31.159.99 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=cherciu.com
plesk-cherciu.com-176.31.159.99- unix - n n - - smtp
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/fullchain.pem
    -o smtp_bind_address=176.31.159.99
    -o smtp_address_preference=ipv4
    -o smtp_helo_name=cherciu.com
    -o myhostname=mail.cherciu.com
    -o cleanup_service_name=pre-cleanup

 

[octet]

main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = all
mydestination = localhost.$mydomain, localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
mynetworks =
content_filter = smtp:[127.0.0.1]:27
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
debug_peer_level = 2
debugger_command =
     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
     ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport

smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes

smtpd_sender_restrictions =
    check_sender_access hash:/var/spool/postfix/plesk/blacklists,
    permit_sasl_authenticated,
    reject_authenticated_sender_login_mismatch

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net

smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768 inet:127.0.0.1:12345
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
mailbox_size_limit = 0
virtual_mailbox_limit = 0
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
myhostname = mail.un-limit.com
message_size_limit = 10240000
milter_connect_macros = j {daemon_name} {client_connections} {client_addr} {client_ptr} v
milter_default_action = accept

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unlisted_recipient,
    reject_unlisted_sender

I have also created a subdomain mail.cherciu.com with LetsEncrypt SSL certificate, located as in the master.cf above.

You may also notice that I use Sagator to get Postfix to work with ClamAV and SpamAssassin. Current environment: CentOS Linux release 7.2.1511 (Core) Plesk Onyx Dovecot 2.2.26 Postfix 2.10.1-6.0.1 In Plesk, SSL / TLS for Mail is on default, should I change it to something else?

Once all these changes are done, I should be able to restart Postfix and everything should work fine? Any other suggestions, am I missing anything else? For Dovecot will I be able to do the same for each domain, so that it enables SSL for each domain?

Thanks a lot!

 

[octet]

Anyone please?

 

[Powerdynamo]

what plesk version is this? in my 12.5 i have no such switch "certificate for securing mail" -
this would be exactly what i need.
edgar