DoveCot SSL
In order to configure SSL for dovecot, the following is recommended
[root@station ]# cd /etc/pki/ [root@station pki]# ls CA dovecot nssdb rpm-gpg tls [root@station pki]# find . -name Makefile ./tls/certs/Makefile [root@station pki]# cd tls/certs/ [root@station certs]# ls ca-bundle.crt localhost.crt make-dummy-cert Makefile [root@station certs]# make This makefile allows you to create: o public/private key pairs o SSL certificate signing requests (CSRs) o self-signed SSL test certificates To create a key pair, run "make SOMETHING.key". To create a CSR, run "make SOMETHING.csr". To create a test certificate, run "make SOMETHING.crt". To create a key and a test certificate in one file, run "make SOMETHING.pem". To create a key for use with Apache, run "make genkey". To create a CSR for use with Apache, run "make certreq". To create a test certificate for use with Apache, run "make testcert". To create a test certificate with serial number other than zero, add SERIAL=num Examples: make server.key make server.csr make server.crt make stunnel.pem make genkey make certreq make testcert make server.crt SERIAL=1 make stunnel.pem SERIAL=2 make testcert SERIAL=3
Dovecot requires a pem, which consists of a key and a cert. Once generated, place in the location that is outlined in the server configuration.
[root@station certs]# make dovecot.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes
-x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > dovecot.pem ; \
echo "" >> dovecot.pem ; \
cat $PEM2 >> dovecot.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
.............++++++
..++++++
writing new private key to '/tmp/openssl.B21904'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ’.’, the field will be left blank.
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Texas Locality Name (eg, city) [Newbury]:San Antonio Organization Name (eg, company) [My Company Ltd]: SSL example Organizational Unit Name (eg, section) []:3rd shift Common Name (eg, your name or your server's hostname) []:station.rhce.example.com Email Address []:user@rhce.example.com [root@station certs]# ls ca-bundle.crt dovecot.pem localhost.crt make-dummy-cert Makefilemailtips for checking email during the test utilize mutt
mutt -s imaps://user@@serverhost
mutt -f imaps://localhost for checking/displaying:
q:Exit ?:Help
This certificate belongs to:
station.rhce.example.com
Unknown
SSL example
3rd shift
San Antonio
This certificate was issued by:
station.rhce.example.com
Unknown
SSL example
3rd shift
San Antonio
This certificate is valid
from Aug 9 16:52:18 2008 GMT
to Aug 8 16:52:18 2009 GMT
Fingerprint: B247 62D4 197F 401B 61EA BC83 8733 8D9A
Telnet test to port 110 and SSL mutt foo.
[root@station etc]# telnet 0 110
Trying 0.0.0.0...
Connected to 0 (0.0.0.0).
Escape character is '^]'.
+OK Dovecot ready.
user mike
+OK
pass redhat
+OK Logged in.
list
+OK 1 messages:
1 472
.
retr 472
-ERR There's no message 472.
retr 1
+OK 472 octets
Return-Path: <root@station.example.com>
X-Original-To: ru@station.example.com
Delivered-To: user@station.example.com
Received: by station.example.com (Postfix, from userid 0)
id CFB341988BE; Thu, 9 Aug 2007 13:09:10 -0500 (CDT)
To: ru@station.example.com
Subject: maildirdelivery
Message-Id: <20070809180910.CFB341988BE@station13.example.com>
Date: Thu, 9 Aug 2007 13:09:10 -0500 (CDT)
From: root@station.example.com (root)
maildir lab example
additional notes post lab
edits to /etc/dovecot.conf
protocols = imap imaps pop3 pop3s
the pem copied into these locations## ## SSL settings ## # IP or host address where to listen in for SSL connections. Defaults # to above if not specified. #ssl_listen = # Disable SSL/TLS support. ssl_disable = no # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
IMAP SMTP auth & SPAM
These handy bits of one line foo are straight from one of the smartest and strangest admins I have had the pleaure of meeting. He is always crafting these sort of tools for use.
Tally of who failed SMTP Auth login:
grep "smtp_auth: .* connect from" /var/log/messages | awk '{print $2"/"$1"/2007:"$3"\t"$9"\t"$10}' | sed -e "s/\[//g" -e "s/\]//g"
And their IPs
grep "smtp_auth: SMTP connect from" /var/log/messages | awk '{print $10}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq -c | sort -nr | head -20
Tally of who succeeded SMTP Auth login:
grep "smtp_auth: smtp_auth: SMTP user " /var/log/messages | grep "logged in from " | awk '{print $2"/"$1"/2007:"$3"\t"$9"\t"$16}' | sed -e "s/\[//g" -e "s/\]//g"
And their IPs
grep "smtp_auth: smtp_auth: SMTP user " /var/log/messages | grep "logged in from " | awk '{print $16}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq -c | sort -nr | head -20