Two-way TLS and other security for LMTP over the internet?
Dovecot version 2.3.19.1 (9b53102964) Postfix version 3.5.18
We have a Postfix server that runs on a VPS with a hosting company and a Dovecot IMAP server that runs at the office.
We want Postfix to push the mail it receives to the Dovecot IMAP server, using the least amount of intermediate software. This transfer occurs over the open internet.
LMTP over TCP seems like a great solution, *if* it can be secured. But I'm not finding documentation on how to actually setup something like two-way TLS over LMTP.
Is there any setting in Dovecot where I can set a remote IP address (or hostname) that will be the only address that Dovecot's LMTP accepts connections from?
My current configuration options for LMTP in Dovecot look like:
protocol lmtp { ssl_cert = }
service lmtp { user = vmail inet_listener lmtp { address = * :: port = 24 } }
With these settings, I can telnet from the Postfix server to the Dovecot server with LMTP, and I'm not convinced there is any encryption actually enabled or any TLS verification going on.
Is there any reasonable security that can be setup to make this safe (within Dovecot and Postfix settings, not using VPNs and SSH tunnels)?
If so, how?
It's been a while since I looked at this but I think you need
service lmtp { inet_listener lmtp { ssl = yes
To restrict login by IP address
protocol lmtp{ login_trusted_networks = 127.0.0.1
Also, last time I looked at this, the LMTP TLS server does not check the subject name on a client certificate, so if you intend to use client certificates, you will need to set up a dedicated certificate authority who's only job is to issue LMTP client certificates.
On 29/10/2023 10:58 pm, forum@ageofdream.com wrote:
Dovecot version 2.3.19.1 (9b53102964) Postfix version 3.5.18
We have a Postfix server that runs on a VPS with a hosting company and a Dovecot IMAP server that runs at the office.
We want Postfix to push the mail it receives to the Dovecot IMAP server, using the least amount of intermediate software. This transfer occurs over the open internet.
LMTP over TCP seems like a great solution, *if* it can be secured. But I'm not finding documentation on how to actually setup something like two-way TLS over LMTP.
Is there any setting in Dovecot where I can set a remote IP address (or hostname) that will be the only address that Dovecot's LMTP accepts connections from?
My current configuration options for LMTP in Dovecot look like:
protocol lmtp { ssl_cert =
service lmtp { user = vmail inet_listener lmtp { address = * :: port = 24 } }
With these settings, I can telnet from the Postfix server to the Dovecot server with LMTP, and I'm not convinced there is any encryption actually enabled or any TLS verification going on.
Is there any reasonable security that can be setup to make this safe (within Dovecot and Postfix settings, not using VPNs and SSH tunnels)?
If so, how?
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
-- This email has been checked for viruses by AVG antivirus software. www.avg.com
It's been a while since I looked at this but I think you need service lmtp { inet_listener lmtp { ssl = yes To restrict login by IP address protocol lmtp { login_trusted_networks = 127.0.0.1 Also, last time I looked at this, the LMTP TLS server does not check the subject name on a client certificate, so if you intend to use client certificates, you will need to set up a dedicated certificate authority who's only job is to issue LMTP client certificates. On 29/10/2023 10:58 pm, forum@ageofdream.com wrote: Dovecot version 2.3.19.1 (9b53102964) Postfix version 3.5.18
We have a Postfix server that runs on a VPS with a hosting company
and
a Dovecot IMAP server that runs at the office.
We want Postfix to push the mail it receives to the Dovecot IMAP
server, using the least amount of intermediate software. This
transfer
occurs over the open internet.
LMTP over TCP seems like a great solution, *if* it can be secured.
But
I'm not finding documentation on how to actually setup something like
two-way TLS over LMTP.
1. Is there any setting in Dovecot where I can set a remote IP
address
(or hostname) that will be the only address that Dovecot's LMTP
accepts
connections from?
2. My current configuration options for LMTP in Dovecot look like:
protocol lmtp {
ssl_cert = </etc/ssl/imap/imap.crt
ssl_key = </etc/ssl/imap/imap.key
ssl_ca = </etc/ssl/imap/authority.crt
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
}
service lmtp {
user = vmail
inet_listener lmtp {
address = * ::
port = 24
}
}
With these settings, I can telnet from the Postfix server to the
Dovecot server with LMTP, and I'm not convinced there is any
encryption
actually enabled or any TLS verification going on.
Is there any reasonable security that can be setup to make this safe
(within Dovecot and Postfix settings, not using VPNs and SSH
tunnels)?
If so, how?
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.orgVirus-free.www.avg.com
an option to consider is
postfix @ vpn -> smtp relay transport, with TLS protections -> 2nd-postfix instance, on same server as dovecot
and,
2nd-postfix instance -> 'local' lmtp over unix socket -> dovecot listener
the postfix -> postfix secure config is rich & flexible, easily configured whether over open 'net, or over a vpn tunnel
yes, additional server instance to manage -- but that 2nd postfix config can be quite lightweight, and secured for only the postfix -> postfix -> dovecot config
ymmw
participants (3)
-
forum@ageofdream.com
-
pgnd
-
Sean Gallagher