Contents
1. Apache2 : SSL/TLS Configuration
Describes how to apply an SSL certificate obtained with Let's Encrypt to apache.
Domain name : hoge.com
1.1 Configuration of Apache2
①Editing the Apache2 configuration file
Rename and copy the default conf file (e.g. "hoge.com-ssl.conf")
|
1 2 |
# cd /etc/apache2/sites-available/ # cp default-ssl.conf hoge.com-ssl.conf |
|
1 2 3 4 5 6 7 8 9 |
# vi hoge.com-ssl.conf # Line 3: Change administrator address ServerAdmin <Email address> # Lines 32 , 33: Change to the Let's Encrypt certificate you obtained. SSLCertificateFile /etc/letsencrypt/live/hoge.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/hoge.com/privkey.pem # Line 42: Uncomment and change to the Let's Encrypt certificate chain file you obtained. SSLCertificateChainFile /etc/letsencrypt/live/hoge.com/chain.pem |
validation
|
1 2 3 4 |
# a2ensite hoge.com-ssl.conf Enabling site hoge.com-ssl.conf. To activate the new configuration, you need to run: systemctl reload apache2 |
Default disable
|
1 |
# a2dissite default-ssl.conf |
②Enable the SSL module
|
1 2 3 4 5 6 7 8 9 10 11 |
# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 |
Restart Apache2
|
1 |
# systemctl restart apache2 |
1.2 http to https redirection
①How to create an ".htaccess" file
Create a .htaccess file in /var/www/html/korodes.com/ and fill in the following
|
1 2 3 |
RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
②How to fill in vhost-hoge.com.conf
|
1 2 3 4 5 6 |
# vi /etc/apache2/sites-available/vhost-korodes.com.conf Add the following to the first line RewriteEngine on RewriteCond %{HTTPS}off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
②Settings reflect
|
1 2 3 |
# a2ensite vhost-korodes.com.conf # a2dissite 000-default.conf ← Default disable # systemctl restart apache2 ← Restart Apache2 |
2.Mail Server : SSL/TLS Settings
Configure SSL/TLS settings to enable encrypted communication.
SMTPS uses 465/TCP, POP3S uses 995/TCP, IMAPS uses 993/TCP
2.1 Setting up a virtual host and obtaining a certificate for mail
①Virtual Host Settings for Mail Hosts
|
1 |
# cd /etc/apache2/sites-available/ |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi vhost-hoge.com.conf <VirtualHost *:80> ~Abbreviation~ ServerName mail.hoge.com ServerAdmin <mail address> DocumentRoot /var/www/html/mail.hoge.com ~Abbreviation~ ErrorLog ${APACHE_LOG_DIR}/mail.hoge.com.error.log CustomLog ${APACHE_LOG_DIR}/mail.hoge.com.access.log combined ~Abbreviation~ </VirtualHost> |
②Create directory
|
1 |
# vi /var/www/html/mail.hoge.com |
③Obtaining a letsencrypt SSL Certificate
|
1 |
# certbot certonly --webroot -w /var/www/html/mail.hoge.com -d mail.hoge.com |
2.2 Postfix Configuration
①Edit "main.cf".
|
1 2 3 4 5 6 7 8 9 10 11 |
# vi /etc/postfix/main.cf # Add to last line smtpd_use_tls = yes smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_cert_file = /etc/letsencrypt/live/korodes.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/korodes.com/privkey.pem smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache # Include information about cryptography in the "Received:" message header smtpd_tls_received_header = yes |
②Edit "master.cf".
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# vi /etc/postfix/master.cf submission inet n – y – – smtpd ←Remove the following comments.(Both SSL and STARTTLS are supported.) -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATINGt smtps inet n – y – – smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n – y – – qmqpd |
③Check the settings for errors.
|
1 |
# postfix check |
If nothing appears, it's OK.
④Postfix startup and auto-start
|
1 2 |
# systemctl start postfix # systemctl enable postfix |
2.3 Configuring Dovecot
① Edit "10-ssl.conf".
|
1 2 3 4 5 6 7 |
# vi /etc/dovecot/conf.d/10-ssl.conf # Line 6: Change ssl = yes # Lines 12 , 13: Uncomment and specify certificate/key file ssl_cert = </etc/letsencrypt/live/mail.hoge.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.hoge.com/privkey.pem |
② Edit "10-master.conf".
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# vi /etc/dovecot/conf.d/10-master.conf service imap-login { inet_listener imap { #port = 143 port = 0 } inet_listener imaps { #port = 993 #ssl = yes port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { #port = 110 port = 0 } inet_listener pop3s { #port = 995 #ssl = yes port = 995 ssl = yes } } ・Specify the authentication socket file for the Dovecot SASL library(It's around line 113.) service auth { (abbreviation) # Postfix smtp-auth #unix_listener /var/spool/postfix/private/auth { # mode = 0666 #} ↓ # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } |
③Setting the authentication method
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /etc/dovecot/conf.d/10-auth.conf #disable_plaintext_auth = yes ↓ disable_plaintext_auth = no auth_mechanisms = plain ↓ auth_mechanisms = plain login |
④Specify the location of the mailbox.
|
1 2 3 4 5 6 7 |
# vi /etc/dovecot/conf.d/10-mail.conf #mail_location = ↓ mail_location = maildir:~/Maildir |
⑤Change the output destination of the log
|
1 2 3 4 5 6 7 |
# vi /etc/dovecot/conf.d/10-logging.conf #log_path = syslog ↓ log_path = /var/log/dovecot/dovecot.log |
⑥Create log output destination
|
1 |
# mkdir /var/log/dovecot |
⑦Start Dovecot and configure it to start automatically.
|
1 2 |
# systemctl start dovecot # systemctl enable dovecot |
⑧Verify that the authentication socket file has been created.
|
1 2 3 4 5 |
# ls -F /var/spool/postfix/private/auth ---(The following indications are acceptable.)--- /var/spool/postfix/private/auth = |
3.Set up SSL/TLS on the FTP server.
Encrypt ftp transfers with Let's Encrypt obtained from Web Server Encryption.
3.1 Vsftpd Configuration
①Configuration file editing
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# vi /etc/vsftpd.conf ---(Add the following to the last line)--- # add letsencrypt rsa_cert_file=/etc/letsencrypt/live/hoge.com/fullchain.pem rsa_private_key_file=/etc/letsencrypt/live/hoge.com/privkey.pem ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO #pasv port pasv_enable=YES pasv_min_port=21000 pasv_max_port=21010 |
|
1 |
# systemctl restart vsftpd |
3.2 Firewall Settings
Allow fixed PASV ports other than ftp ports
|
1 |
# ufw allow 21000:21010/tcp |