Dovecot SSL-Verschlüsselung

Dieses Thema im Forum "Technischer Support" wurde erstellt von Yellowphoenix18, 6. September 2016.

  1. Yellowphoenix18
    Offline

    Yellowphoenix18

    Registriert seit:
    26. März 2013
    Beiträge:
    267
    Ort:
    Niedersachsen
    Minecraft:
    YellowPhoenix18
    Hallo und guten Abend,
    habe mich heute daran gemacht meinen Mail-Server mit SSL zu verschlüsseln. Dazu habe ich auch alles eingerichtet, aber mein Dovecot-Server möchte nicht IMAP und POP3 verschlüsseln. Stelle ich die protocols nur auf imaps und pop3s, findet Thunderbird keine Verbindung, adde ich pop3 und imap, findet Thunderbird eine Verbindung, aber keine Verschlüsselung. Vlt. weiß einer von euch ja, wo hierbei das Problem liegt^^

    Code (Text):
    1. # for authentication checks). disable_plaintext_auth is also ignored for
    2. # these networks. Typically you'd specify your IMAP proxy servers here.
    3. #login_trusted_networks =
    4.  
    5. # Space separated list of login access check sockets (e.g. tcpwrap)
    6. #login_access_sockets =
    7.  
    8. # With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
    9. # proxying. This isn't necessary normally, but may be useful if the destination
    10. # IP is e.g. a load balancer's IP.
    11. #auth_proxy_self =
    12.  
    13. # Show more verbose process titles (in ps). Currently shows user name and
    14. # IP address. Useful for seeing who are actually using the IMAP processes
    15. # (eg. shared mailboxes or if same uid is used for multiple accounts).
    16. #verbose_proctitle = no
    17.  
    18. # Should all processes be killed when Dovecot master process shuts down.
    19. # Setting this to "no" means that Dovecot can be upgraded without
    20. # forcing existing client connections to close (although that could also be
    21. # a problem if the upgrade is e.g. because of a security fix).
    22. #shutdown_clients = yes
    23.  
    24. # If non-zero, run mail commands via this many connections to doveadm server,
    25. # instead of running them directly in the same process.
    26. #doveadm_worker_count = 0
    27. # UNIX socket or host:port used for connecting to doveadm server
    28. #doveadm_socket_path = doveadm-server
    29.  
    30. # Space separated list of environment variables that are preserved on Dovecot
    31. # startup and passed down to all of its child processes. You can also give
    32. # key=value pairs to always set specific settings.
    33. #import_environment = TZ
    34.  
    35. ##
    36. ## Dictionary server settings
    37. ##
    38.  
    39. # Dictionary can be used to store key=value lists. This is used by several
    40. # plugins. The dictionary can be accessed either directly or though a
    41. # dictionary server. The following dict block maps dictionary names to URIs
    42. # when the server is used. These can then be referenced using URIs in format
    43. # "proxy::<name>".
    44.  
    45. dict {
    46.   #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
    47.   #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
    48. }
    49.  
    50. # Most of the actual configuration gets included below. The filenames are
    51. # first sorted by their ASCII value and parsed in that order. The 00-prefixes
    52. # in filenames are intended to make it easier to understand the ordering.
    53. !include conf.d/*.conf
    54.  
    55. # A config file can also tried to be included without giving an error if
    56. # it's not found:
    57. !include_try local.conf
    58.  
    59. auth_mechanisms = plain cram-md5 ntlm
    60. log_timestamp = "%Y-%m-%d %H:%M:%S "
    61. passdb {
    62.   args = /etc/dovecot/dovecot-mysql.conf
    63.   driver = sql
    64. }
    65.  
    66. protocols = pop3 pop3s imap imaps
    67.  
    68. service auth {
    69.   unix_listener /var/spool/postfix/private/auth_dovecot {
    70.     group = postfix
    71.     mode = 0660
    72.     user = postfix
    73.   }
    74.   unix_listener auth-master {
    75.     mode = 0600
    76.     user = vmail
    77.   }
    78.   user = root
    79. }
    80. userdb {
    81.   args = /etc/dovecot/dovecot-mysql.conf
    82.   driver = sql
    83. }
    84. protocol pop3 {
    85.   pop3_uidl_format = %08Xu%08Xv
    86.   pop3_client_workarounds = oe-ns-eoh
    87. #   pop3_uidl_format = %v.%u
    88. }
    89. protocol lda {
    90.   auth_socket_path = /var/run/dovecot/auth-master
    91.   postmaster_address = admin@*******.de
    92. }
    Code (Text):
    1. ##
    2. ## SSL settings
    3. ##
    4.  
    5. # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
    6. ssl = required
    7.  
    8. # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
    9. # dropping root privileges, so keep the key file unreadable by anyone but
    10. # root. Included doc/mkcert.sh can be used to easily generate self-signed
    11. # certificate, just make sure to update the domains in dovecot-openssl.cnf
    12. ssl_cert = </etc/letsencrypt/live/<Mein Domain-Name>/fullchain.pem
    13. ssl_key = </etc/letsencrypt/live/<Mein Domain-Name>/privkey.pem
    14.  
    15. # If key file is password protected, give the password here. Alternatively
    16. # give it when starting dovecot with -p parameter. Since this file is often
    17. # world-readable, you may want to place this setting instead to a different
    18. # root owned 0600 file by using ssl_key_password = <path.
    19. #ssl_key_password =
    20.  
    21. # PEM encoded trusted certificate authority. Set this only if you intend to use
    22. # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
    23. # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
    24. #ssl_ca =
    25.  
    26. # Require that CRL check succeeds for client certificates.
    27. #ssl_require_crl = yes
    28.  
    29. # Directory and/or file for trusted SSL CA certificates. These are used only
    30. # when Dovecot needs to act as an SSL client (e.g. imapc backend). The
    31. # directory is usually /etc/ssl/certs in Debian-based systems and the file is
    32. # /etc/pki/tls/cert.pem in RedHat-based systems.
    33. #ssl_client_ca_dir =
    34. #ssl_client_ca_file =
    35.  
    36. # Request client to send a certificate. If you also want to require it, set
    37. # auth_ssl_require_client_cert=yes in auth section.
    38. #ssl_verify_client_cert = no
    39.  
    40. # Which field from certificate to use for username. commonName and
    41. # x500UniqueIdentifier are the usual choices. You'll also need to set
    42. # auth_ssl_username_from_cert=yes.
    43. #ssl_cert_username_field = commonName
    44.  
    45. # DH parameters length to use.
    46. #ssl_dh_parameters_length = 1024
    47.  
    48. # SSL protocols to use
    49. ssl_protocols = !SSLv2 !SSLv3
    50.  
    51. # SSL ciphers to use
    52. #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
    53.  
    54. # Prefer the server's order of ciphers over client's.
    55. #ssl_prefer_server_ciphers = no
    56.  
    57. # SSL crypto device to use, for valid values run "openssl engine"
    58. #ssl_crypto_device =

    Hoffe einer von euch weiß wo hier das Problem liegt :)

    Mit freundlichen Grüßen Sebastian
     
    #1
  2. ims-hosting
    Offline

    ims-hosting Verifiziert

    Registriert seit:
    2. Februar 2015
    Beiträge:
    2
    Update: Offenbar habe ich grade übersehen, dass du dort etwas mit geschickt hast.
    Bitte mal den Output /etc/init.d/dovecot status und die Logs (/var/log/mail.err) schicken.

    Hallo,

    versuche es mal mit dieser Dokumentation: http://wiki.dovecot.org/SSL/DovecotConfiguration

    Im Prinzip musst du nur die Datei conf.d/10-ssl.conf bearbeiten und dort die Zeilen
    ssl_cert = </etc/ssl/certs/dovecot.pem
    ssl_key = </etc/ssl/private/dovecot.pem

    Entsprechend auf dein Zertifikat leiten. Bitte beachte, dass das Zertifikat dem User und der Gruppe root gehört. Außerdem sind die Dateirechte auf 0444 zu setzten.

    Wie du selber ein Zertifikat erstellen kannst wird hier erklärt: https://wiki.debian.org/Self-Signed_Certificate Ansonsten kannst du eins von https://ssl.comodo.com/ verwenden.

    Solltest du dazu noch Fragen oder Probleme haben kannst du ja mal sagen wo genau du nicht weiter kommst. :)

    Mit freundlichen Grüßen
    Dein IMS-Hosting Team
     
    #2
  3. 可愛い
    Offline

    可愛い

    Registriert seit:
    19. Mai 2014
    Beiträge:
    657
    Ich seh nirgendwo in deiner Config, dass du einen Host für Verschlüsseltes IMAP einstellst oder irgendwelche Ports angibst. Ich kann Dovecot zwar nicht auswendig konfigurieren, aber ich bin mir ziemlich sicher, dass man die Verschlüsslung für IMAP auch erst zum virtuellen Host hinzufügen muss.

    Edit: Okay, grad das "imaps" gesehen. Mal mit netstat geguckt ob die richtigen Ports gebunden sind, keine Firewall aktiv ist und ob zumindest eine TCP Verbindung zustande kommt?
     
    #3