/munetakaJupyterHub/Computer/2024/Postfix/11-11-postfix-let'sEncrypt-sasl-tls.md

§2024-05-01

How to secure Postfix using Let’s Encrypt@upcloud.com Updated on 24.5.2023

¶Getting Let’s Encrypt certificates

$ sudo apt remove --purge certbot
$ sudo apt install certbot
$ alexlai@h2Jammy:~$ sudo less   /var/log/letsencrypt/letsencrypt.log
/var/log/letsencrypt/letsencrypt.log: No such file or directory


alexlai@h2Jammy:~$ sudo apt install certbot

alexlai@h2Jammy:~$ sudo less   /var/log/letsencrypt/letsencrypt.log
/var/log/letsencrypt/letsencrypt.log: No such file or directory

alexlai@h2Jammy:~$ sudo certbot certonly --standalone -d h2jammy.yushei.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): rai.sousuke@gmail.com  <---- !!!!

- - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - -- - - - - - - - - - - - - - - -
(Y)es/(N)o: Yes

- - - - - - - - - - - -- - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - -- - - - - - - - - - -
(Y)es/(N)o: No
Account registered.
Requesting a certificate for h2jammy.yushei.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem
This certificate expires on 2024-07-30.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - -- - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - -  - - - - - - - - - - - - - - -

¶ setup certificate in postfix/main.cf

alexlai@h2Jammy:~$ sudo ls /etc/letsencrypt/live/h2jammy.yushei.net
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem'

alexlai@h2Jammy:~$ grep smtpd_tls  /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem
smtpd_tls_security_level=may

smtpd_tls_security_level: This parameter determines the level of security enforced for incoming SMTP connections that use TLS encryption. may: This value means that TLS encryption is encouraged but not required for incoming connections. In other words, Postfix will attempt to negotiate a TLS encrypted connection if the connecting client supports it, but it will still accept connections without TLS encryption if the client does not support it.

¶go to nextcloud, Basic setting, try the sendmail button --> sucess

May  1 09:59:38 h2Jammy postfix/smtpd[27165]: connect from 114-33-29-69.hinet-ip.hinet.net[114.33.29.69]
May  1 09:59:39 h2Jammy postfix/smtpd[27165]: 0DABE5562B: client=114-33-29-69.hinet-ip.hinet.net[114.33.29.69]
May  1 09:59:39 h2Jammy postfix/cleanup[27170]: 0DABE5562B: message-id=<5265bb982674fc64ac9dfd1c425a77e7@h2jammy.yushei.net>
May  1 09:59:39 h2Jammy opendkim[18321]: 0DABE5562B: external host 114-33-29-69.hinet-ip.hinet.net attempted to send as h2jammy.yushei.net
May  1 09:59:39 h2Jammy postfix/qmgr[27114]: 0DABE5562B: from=<alexlai@h2jammy.yushei.net>, size=15862, nrcpt=1 (queue active)
May  1 09:59:39 h2Jammy postfix/smtpd[27165]: disconnect from 114-33-29-69.hinet-ip.hinet.net[114.33.29.69] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May  1 09:59:39 h2Jammy postfix/local[27171]: 0DABE5562B: to=<alexlai@h2jammy.yushei.net>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir)
May  1 09:59:39 h2Jammy postfix/qmgr[27114]: 0DABE5562B: removed

NextCloud-Basic-Mail-server-greeting

¶Try to send mail out

May  1 10:08:00 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=114.33.29.69, lip=192.168.16.248, mpid=27353, session=<I3ax9FoXUMtyIR1F>
May  1 10:08:00 h2Jammy dovecot: imap(alexlai)<27353><I3ax9FoXUMtyIR1F>: Disconnected: Logged out in=388 out=2451 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=676 body_count=0 body_bytes=0
May  1 10:08:00 h2Jammy dovecot: imap-login: Login: user=<alexlai>, method=PLAIN, rip=114.33.29.69, lip=192.168.16.248, mpid=27355, session=<Svq09FoXVMtyIR1F>
May  1 10:08:00 h2Jammy dovecot: imap(alexlai)<27355><Svq09FoXVMtyIR1F>: Disconnected: Logged out in=87 out=661 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

the mail command works, but nextcloud maill APP can not even contact SMTP server h2jammy.yushie.net, no log in mail.og when the send button was hit.