Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Ubuntu Server 18.04 ; SSL/TLS applied to web , mail , FTP server

1. Apache2 : SSL/TLS Configuration

Describes how to apply an SSL certificate obtained with Let’s Encrypt to apache.
Domain name : hoge.com

1.1 Configuration of Apache2

①Editing the Apache2 configuration file
Rename and copy the default conf file (e.g. “hoge.com-ssl.conf”)

# cd /etc/apache2/sites-available/
# cp default-ssl.conf hoge.com-ssl.conf
# vi hoge.com-ssl.conf
# Line 3: Change administrator address
ServerAdmin  <Email address>
# Lines 32 , 33: Change to the Let’s Encrypt certificate you obtained.
SSLCertificateFile      /etc/letsencrypt/live/hoge.com/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/hoge.com/privkey.pem
# Line 42: Uncomment and change to the Let’s Encrypt certificate chain file you obtained.
SSLCertificateChainFile /etc/letsencrypt/live/hoge.com/chain.pem

# a2ensite hoge.com-ssl.conf ← validation
Enabling site hoge.com-ssl.conf.
To activate the new configuration, you need to run:
systemctl reload apache2# a2dissite default-ssl.conf  ← Default disable

②Enable the SSL module

# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
systemctl restart apache2

Restart Apache2

# systemctl restart apache2

1.2 http to https redirection

①How to create an “.htaccess” file

Create a .htaccess file in /var/www/html/korodes.com/ and fill in the following

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

②How to fill in vhost-hoge.com.conf

# vi /etc/apache2/sites-available/vhost-korodes.com.conf
Add the following to the first line

RewriteEngine on
RewriteCond %{HTTPS}off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

②Settings reflect

# a2ensite vhost-korodes.com.conf
# a2dissite 000-default.conf  ← Default disable
# systemctl restart apache2 ← Restart Apache2

2.Mail Server : SSL/TLS Settings

Configure SSL/TLS settings to enable encrypted communication.
SMTPS uses 465/TCP, POP3S uses 995/TCP, IMAPS uses 993/TCP

2.1 Setting up a virtual host and obtaining a certificate for mail

①Virtual Host Settings for Mail Hosts

# cd /etc/apache2/sites-available/
# vi vhost-hoge.com.conf
<VirtualHost *:80>
~Abbreviation~
ServerName mail.hoge.com
ServerAdmin <mail address>
DocumentRoot /var/www/html/mail.hoge.com
    ~Abbreviation~
ErrorLog ${APACHE_LOG_DIR}/mail.hoge.com.error.log
CustomLog ${APACHE_LOG_DIR}/mail.hoge.com.access.log combined
    ~Abbreviation~
</VirtualHost>

②Create directory

# vi /var/www/html/mail.hoge.com

③Obtaining a letsencrypt SSL Certificate

# certbot certonly –webroot -w /var/www/html/mail.hoge.com -d mail.hoge.com

2.2 Postfix Configuration

①Edit “main.cf”.

# vi /etc/postfix/main.cf

# Add to last line
smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/letsencrypt/live/korodes.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/korodes.com/privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
# Include information about cryptography in the “Received:” message header
smtpd_tls_received_header = yes

②Edit “master.cf”.

# vi /etc/postfix/master.cf

submission inet n – y – – smtpd ←Remove the following comments.(Both SSL and STARTTLS are supported.)
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATINGt

smtps inet n – y – – smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n – y – – qmqpd

③Check the settings for errors.

# postfix check

If nothing appears, it’s OK.

④Postfix startup and auto-start

# systemctl start postfix
# systemctl enable postfix

2.3 Configuring Dovecot

① Edit “10-ssl.conf”.

# vi /etc/dovecot/conf.d/10-ssl.conf

# Line 6: Change
ssl = yes
# Lines 12 , 13: Uncomment and specify certificate/key file
ssl_cert = </etc/letsencrypt/live/mail.hoge.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.hoge.com/privkey.pem

② Edit “10-master.conf”.

# vi /etc/dovecot/conf.d/10-master.conf

service imap-login {
  inet_listener imap {
    #port = 143
      port = 0
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
      port = 993
      ssl = yes
  }

}

 service pop3-login {
  inet_listener pop3 {
    #port = 110
      port = 0
  }

  inet_listener pop3s {
    #port = 995
    #ssl = yes
      port = 995
      ssl = yes
  }

}

・Specify the authentication socket file for the Dovecot SASL library(It’s around line 113.)

 service auth {

 (abbreviation)

  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

 

  # Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix   
  }

}

③Setting the authentication method

# vi /etc/dovecot/conf.d/10-auth.conf

#disable_plaintext_auth = yes

 ↓

disable_plaintext_auth = no

 auth_mechanisms = plain

 

auth_mechanisms = plain login

④Specify the location of the mailbox.

# vi /etc/dovecot/conf.d/10-mail.conf

#mail_location =

 

mail_location = maildir:~/Maildir

⑤Change the output destination of the log

# vi /etc/dovecot/conf.d/10-logging.conf

#log_path = syslog

 

log_path = /var/log/dovecot/dovecot.log

⑥Create log output destination

# mkdir /var/log/dovecot

⑦Start Dovecot and configure it to start automatically.

# systemctl start dovecot
# systemctl enable dovecot

⑧Verify that the authentication socket file has been created.

# ls -F /var/spool/postfix/private/auth

—(The following indications are acceptable.)—

/var/spool/postfix/private/auth =

3.Set up SSL/TLS on the FTP server.

Encrypt ftp transfers with Let’s Encrypt obtained from Web Server Encryption.

3.1 Vsftpd Configuration

①Configuration file editing

# vi /etc/vsftpd.conf

—(Add the following to the last line)—

# add letsencrypt
rsa_cert_file=/etc/letsencrypt/live/hoge.com/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/hoge.com/privkey.pem
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

#pasv port
pasv_enable=YES
pasv_min_port=21000
pasv_max_port=21010

②Restart Vsftpd

# systemctl restart vsftpd

3.2 Firewall Settings

Allow fixed PASV ports other than ftp ports

# ufw allow 21000:21010/tcp

 

タイトルとURLをコピーしました