1 Topic by pschulz

  • pschulz
  • Member
  • Offline
  • Registered: 2013-02-19
  • Posts: 51

Topic: How to implement encryption in transit?

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.8.3
- Linux/BSD distribution name and version: Ubuntu 12.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? yes
- Related log if you're reporting an issue:
====
E-Mail encryption in transit is not supported in iRedMail, not in version 0.8.3 at least.
I cannot find any document saying it is supported in later versions. Is there any?
Or is that merely a certificate problem (I am using self-signed certificate)?

When I send an e-mail from G-Mail to my iRedMail server, it shows a red padlock indicating that TLS encryption is not enabled on my server.

Any idea?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: How to implement encryption in transit?

iRedMail has TLS support for POP3/IMAP/SMTP, and HTTPS support enabled by default. In recent iRedMail releases, secure connections are required to send or retrieve emails.

pschulz wrote:

When I send an e-mail from G-Mail to my iRedMail server, it shows a red padlock indicating that TLS encryption is not enabled on my server.

What's this padlock? Could you please capture a screenshot to help us understand this issue?

3 Reply by pschulz (edited by pschulz 2016-03-21 20:22:56)

  • pschulz
  • Member
  • Offline
  • Registered: 2013-02-19
  • Posts: 51

Re: How to implement encryption in transit?

I don't mean the mail retrieval from a client but sending the mail to other mail servers (outbound transit), and enabling any internet mail server to transfer mail to my server using TLS (inbound transit).

The link from Google is here:

Email encryption in transit (TLS)

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: How to implement encryption in transit?

For Postfix, you need 2 options:

1) "smtpd_tls_security_level = may". announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. This is for inbound email.

2) "smtp_tls_security_level = may". Use TLS if this is supported by the remote SMTP server, otherwise use plaintext. This is for outbound email.

In recent iRedMail releases, both are enabled by default.

References:

1) http://www.postfix.org/postconf.5.html# … rity_level
2) http://www.postfix.org/postconf.5.html# … rity_level

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: How to implement encryption in transit?

I did a test by sending email to my iRedMail server, i can see the mail transit was TLS encrypted:

Mar 21 14:58:08 mail postfix/smtpd[8403]: Anonymous TLS connection established from mail-io0-f177.google.com[209.85.223.177]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

And my iRedMail server to Gmail:

Mar 21 15:00:51 mail postfix/submission/smtpd[8485]: Anonymous TLS connection established from mail.iredmail.org[127.0.0.1]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

6 Reply by pschulz (edited by pschulz 2016-03-21 23:23:56)

  • pschulz
  • Member
  • Offline
  • Registered: 2013-02-19
  • Posts: 51

Re: How to implement encryption in transit?

I checked, and the setting "smtpd_tls_security_level = may" was already enabled, but inbound mail did not have TLS encryption on. I added the other setting, plus restarted all.

But it does not seem to change anything. Now I have only a self-signed certificate on the server - can that be the problem? Is an external provider like GMail going to check that cert against a CA?

Update:
I do see that it now establishes a TLS connection with some senders for inbound mail. Not for G-Mail originated mail though. It shows also the TLS connection message (similar to the one you show above) for connections from e-mail clients now. Is there any limitation by sender? Cannot imagine that.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: How to implement encryption in transit?

We disabled this opportunistic TLS support in an old iRedMail release before, because some vendors don't like (don't work well) with self-signed SSL certificate. Gmail is one of them.

You may want to give Let's Encrypt a try:
https://letsencrypt.org