Set-up SSL encrypted connection in Postfix, Dovecot and Apache

This article is part 3 of our part 1 mailserver set-up with virtual users and domains using Postfix and Dovecot on a CentOS 6 VPS and part 2 which explains how to install and set-up the Roundcube webmail interface

The following post will show you how to set-up SSL encrypted connection to our mailserver installation.

At the end of this article you will end-up using IMAP/POP3 over SSL (IMAPs/POP3s) SMTP over SSL (SMTPs) and Roundcube Webmail over SSL (HTTPS)


As always, make sure your CentOS 6 Linux VPS is fully up to date by executing:

## screen -U -S ssl-screen
## yum update


Next thing we are going to do, is to set-up the SSL certificate file and key. Do this by executing the following:

## yum install openssl
## mkdir -p ~/ssl/mydomain.com
## cd ~/ssl/mydomain.com
## openssl genrsa -des3 -out mydomain.com.key 2048
## openssl req -new -key mydomain.com.key -out mydomain.com.csr
## openssl x509 -req -days 365 -in mydomain.com.csr -signkey mydomain.com.key -out mydomain.com.crt
## cp mydomain.com.key{,.orig}
## openssl rsa -in mydomain.com.key.orig -out mydomain.com.key
## chmod 400 mydomain.com.key

## cp mydomain.com.crt /etc/pki/tls/certs
## cp mydomain.com.{key,csr} /etc/pki/tls/private/


In order to have your Roundcube webmail system accessible over SSL encrypted connection you will need to set-up Apache’s mod_ssl interface to openssl by running the following commands:

## yum install mod_ssl
## vim +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

set the paths to the SSL certificate and private key

SSLCertificateFile /etc/pki/tls/certs/mydomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/mydomain.com.key

force SSL encrypted connection when accessing mydomain.com/webmail:

## vim /etc/httpd/conf.d/90-roundcube.conf

add the following:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?webmail/(.*) https://%{SERVER_NAME}/webmail/$1 [R,L]

finally, restart Apache for the changes to take effect and try to access http://mydomain.com/webmail

## service httpd restart


In order to enable IMAPs and POP3s, you need to edit dovecot main configuration file (/etc/dovecot/dovecot.conf) and add/edit the following:

protocols = imap pop3

ssl = yes
ssl_cert = </etc/pki/tls/certs/mydomain.com.crt
ssl_key = </etc/pki/tls/private/mydomain.com.key

restart dovecot for the changes to take effect and verify it’s listening on its SSL ports using:

## service dovecot restart
## ss -tpl | grep -E 'imaps|pop3s'
LISTEN  0  0  *:imaps *:* users:(("dovecot",1955,22))
LISTEN  0  0  *:pop3s *:* users:(("dovecot",1955,18))

to test IMAPs or POP3s, simply set your email client to use the SSL port, for example for IMAPs 993 and for POP3s 995 and try to receive an email.


To enable SSL support in Postfix so you can send emails using SMTP over SSL, you need to edit two Postfix configuration files. Start with editing /etc/postfix/main.cf and add the following:

## vim /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_key_file  = /etc/pki/tls/private/mydomain.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mydomain.com.crt

smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

then edit /etc/postfix/master.cf and make sure the following line is not commented:

## vim +/smtps /etc/postfix/master.cf
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

restart Postfix for the change to take effect and verify it is listening on its SSL port using:

## service postfix restart

## ss -tnpl | grep 465
LISTEN 0 0  *:465 *:* users:(("master",2119,19))

test SMTPs by setting up your email client to use outgoing port 465.

Implementing SSL encrypted connections to the mailserver set-up with virtual users and domains using Postfix and Dovecot and to the Roundcube webmail interface on a CentOS VPS provide you SSL encrypted connection for outbound and inbound emails.

However, there are other parts missing like anti-spam service, digital signatures using opendkim, filter rules etc for a full-featured mail server. In the next few related articles, we will be adding additional features to the set-up so stay tuned.

Update: Part 4 – How to install and integrate SpamAssassin with Postfix on a CentOS 6 VPS

Update: Part 5 – How to install and integrate OpenDKIM with Postfix on a CentOS 6 VPS

Update: Part 6 – How to set-up server-side email filtering with Dovecot Sieve and Roundcube on a CentOS 6 VPS

Of course, if you are one of our Linux VPS Hosting customers, you don’t have to do any of this, simply ask our admins, sit back and relax. Our admins will set this up for you immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

Categories: Tutorials

View Comments

Leave a Comment