Home Tutorials How To Secure Your Linux Email Services with SSL/TLS

How To Secure Your Linux Email Services with SSL/TLS

To make the email services secure in Linux, you can use the end-to-end encryption method. This method can send and receive emails through a secure email transfer protocol. The Transport Layer Security (TLS) protocol can be set for email services where you don’t have to worry about the server; your encryption key secures your email. In Transport Layer Security (TLS) protocol, the sender and the receiver both can use the secure shell network. Inbound and outbound emails can be secured from Linux distributions. You can also secure your email services on Linux through updating the language filters, external meta tag, email plugin, and the email servers.

Networking Fundamentals to Secure Email Services


If you are a Linux system administrator, you already know how important it is to manage network ports for a secure connection. Most email service providers use TCP port 25 for email services to make a quick and universal connection with the client’s end. You can also secure your email services by using the Simple Mail Transfer Protocol (SMTP) server.

The SMTP server uses port 465, which is much more reliable and universal for email services. Though it’s not recommended, you can still use port the 25 for SMTP services. In this post, we will see how to secure your Linux email services with SSL/TLS.

Step 1:  Secure Email Services Through the OpenSSL


If you have your website in a professional domain, you can create and manage email accounts against your domain address. In that case, you will need to make your domain address more secure and encrypted. We can use the OpenSSL service to make it secure. The OpenSSL is a service that can generate a pair of private and public keys to make the connection encrypted.

To get the OpenSSL connection, you have to generate a new private key to get the SSL security. First, you need to install the OpenSSL services inside your Linux machine. You can use the following terminal command lines to install the OpenSSL service inside your system.

Install OpenSSL on Ubuntu/Debian Linux

$ sudo apt install openssl

Install OpenSSL on Red Hat Enterprise Linux

$ sudo yum install openssl

Install OpenSSL on CentOS and Fedora Linux

$ sudo dnf install openssl

Here I am going to show how to generate a new private key for any domain. You will need to put the domain address, country code, email address, cell number, organization details, and other pieces of information regarding your domain. Make sure that the private key is in RSA format, and the key size is at least 2048 bits.

$ openssl req -new -newkey rsa:2048 -nodes -keyout mail.mydomain.key -out mail.mydomain.csr

Secure Linux email services openssl

Step 2: Build the SMTP and IMAP Services


In networking, SMTP stands for Simple Mail Transfer Protocol. The SMTP can verify and control email services. When you send an email from your email client, the email is delivered to the email server from your computer using the SMTP protocol, also known as the SMTP server.

For example, if you are using Gmail, the SMTP server address would be smtp.gmail.com. Then the server will send the email to the recipient’s server. The email will stay at the recipient’s email server until the receiver login to the email address and gets the mail using the POP or IMAP protocols. The POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) protocols are used for receiving emails.

The SMTP uses the TCP protocol to deliver the email. Here, I must note that the TCP protocol guarantees that the email is delivered to the correct destination. While you misspell the email address or make any syntax error, you get an error message from the TCP protocol.

Now we know about the protocols of the email server and how it works. To make the email services secure on Linux, we can use the Postfix Mail Transfer Agent (MTA). To make your email server secure and safe, Postfix can be used with the SMTP server. At the beginning of this step, we have to install the Postfix agent on our Linux machine. Here the terminal command lines are given below for various Linux distributions to install the Postfix.

Install Postfix on Debian/Ubuntu

$ apt-get update && apt-get install postfix mailutils

Install Postfix on Fedora Linux

$ dnf update && dnf install postfix mailx

Install Postfix on Centos

$ yum update && yum install postfix mailx cyrus-sasl cyrus-sasl-plain

Install Postfix on Arch Linux

$ pacman -Sy postfix mailutils

Now we can move ahead to configure the Postfix settings. Here the basic and primary configurations are given below. You can use the configurations to set up your Postfix client. You can use the Nano script editor to open and configure the Postfix settings on your Linux machine.

$ sudo nano /etc/postfix/main.cf

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/mail.mydomain.pem
smtpd_tls_key_file = /etc/pki/tls/mail.mydomain.key

Until now, we have seen how to set up the SMTP server settings; now, we will see how to configure the receiver end settings. We will use the IMAP settings to configure the server of the receiver end. We will use the Dovecot server to set up the receiver end settings. Linux usually comes with the Dovecot pre-installed, but if you can not find the Dovecot inside your Linux machine, here are the terminal command lines to install the Dovecot service.

Install Dovecot on Debian Based Linux Systems

$ apt-get -y install dovecot-imapd dovecot-pop3d

Install Dovecot on Red Hat Linux Based Systems

$ sudo yum install dovecot

Normally the Dovecot configuration file is located in the /etc/dovecot directory. You can use the Nano script editor to edit and finalize the Dovecot email service configurations on your Linux machine.

$ sudo nano /etc/dovecot/dovecot.conf

Here you can also set up the protocol for IMAP local mail transfer protocol settings.

protocols = imap pop3 lmtp
listen = *, ::

You have to enable the SSL settings in order to make your email server secure. The SSL configuration settings are given below for you.

ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

Create a location for your email services on your Linux system.

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Now you can restart and enable the Dovecot email service on your Linux machine.

$ systemctl start dovecot
$ systemctl enable dovecot

Step 3: Configure the SELinux for Email Security


Security-Enhanced Linux (SELinux) was first created for Red Hat Linux, but now it is extensively used in almost every Linux distributions. Most Linux normally comes with the SELinux pre-installed. But if you can not find the SELinux inside your Linux machine, you can install it anytime.

$ sudo apt install selinux selinux-utils selinux-basics auditd audispd-plugins

You can configure the SELinux to make the Postfix and Dovecot email services more secure on your Linux machine.

Configure SELinux for Postfix

$ chcon -u system_u -t cert_t mail.mydomain.*

Configure SELinux for Dovecot

$ chcon -u system_u -t dovecot_cert_t mail.mydomain.*

Now you can check the status of the SELinux. If you have done everything correctly, you will be able to see the SELinux status on your system.

$ sudo sestatus

Step 4: Check Email Service Status on Linux


After everything is done correctly, it’s time to check the email connections, whether they are secured. First, we will check the SSL connection from the client’s end with a specific port of the IMAP server. Then, we will check the SMTP server connection status.

In return, we should get the details information about the private key, session ID, verification status, and the SSL protocol. Here, all checkups are done from the client’s end, but you can check either from the hosting end or the client’s end.

$ openssl s_client -connect mail.jahidonik.com:993
$ openssl s_client -starttls imap -connect mail.jahidonik.com:143
$ openssl s_client -starttls smtp -connect mail.jahidonik.com:587

Ending Words


Linux is mostly used for reliability and security purposes. On Linux distributions, you can make your email services secure and safe with SSL/TLS. In this entire post, I’ve demonstrated the steps of configuring the OpenSSL, SMTP, and IMAP services to secure the email connections. I have also described the networking fundamentals to secure email services on Linux.

Secure shell service (SSL) is the most reliable method to secure your email services on Linux. Besides these, you can make your email services secure through the settings of your email service providers. If you find this post useful and informative, please share it with your friends and the Linux community. We also inspire you to write your opinions regarding this post in the comment segment.

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here


Exit mobile version