Question

Confusions regarding RSA certificates, TLS encryption, and virtual users when setting up a mail server

Posted January 15, 2021 106 views
SecurityEmail

I’m currently trying to understand the process of creating a mail server by following this guide, among others. There are some parts I’m confused about. I will go through one by one.

Before I start, I will say I currently have a website of the form example.tk by way of a Digital Ocean droplet on Ubuntu 20.04 and am attempting to have my mail server operate on mail.example.tk.

1.

“We are going to introduce the email address and passwords associated for each domain. Make sure you change all the info with your specific information.”

INSERT INTO `servermail`.`virtual_users`
(`id`, `domain_id`, `password` , `email`)
VALUES
('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email1@example.com'),
('2', '1', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email2@example.com');

I haven’t the slightest clue of what to put for ’email1@example.com’ and ’email2@example.com’. I have a domain for my website, and the mail subdomain I want to use, but I have no clue which email addresses to put here. I am a complete beginner, and the only email address I have access to is my personal email address. Am I meant to make up email addresses or something? My example.tk website has no email addresses associated with it.

2.

“First we need to comment the TLS Parameters and append other parameters. In this tutorial, we are using the Free SSL certificates and the paths that are suggested in the tutorial (link), but you could modify depending your personal configurations.”

# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache 
smtpd_tls_cert_file=/etc/ssl/certs/dovecot.pem
smtpd_tls_key_file=/etc/ssl/private/dovecot.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes

To my knowledge, the first two uncommented lines deal with getting the RSA algorithm to use TLS encryption, which we’re apparently getting from Dovecot; so hopefully it is safe to assume Dovecot handles TLS encryption for Postfix? According to the configuration files for smptdusetls and smptdtlsauth_only, the former is defined as

“Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption.”

and the latter as

“When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections.”

This is a bit confusing to follow if the two are enabled. We look to be using RSA algorithms from the first two lines, but we are not requiring that the client use them (as declared by smptdusetls=yes), unless I misunderstand. Regardless of this, it is clear from the smptdusetls description, if enabled, TLS encryption is optional, and if TLS encryption is optional, “do not announce or accept SASL authentication over unencrypted connections.” So, it seems we are affectively denying SASL authentication over unencrypted connections. Is this therefore requiring client do in fact need to use a RSA key to get authenticated?

I think I may be confusing several things, notably what RSA certificates have to do precisely with TLS encryption, as I just believe RSA keys are a kind of TLS encryption, as well as what exactly an ‘unencrypted connection is’ and whether that is connected to RSA keys or not at all.

Submit an answer

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!