Secure mail, FTP servers


#1

According to the Let’s Encrypt FAQ, I can secure my web, mail, ftp servers.

Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.” - Let’s Encrypt - FAQ - Free SSL/TLS Certificates

I have used letsencrypt to secure my web server, I want to secure everything else now. How do I go about doing that.

I want to start using ftps, en my e-mail will also need to secured.

My goal is that every connection to my site, is a secured connection.


#2

It depends on what FTP and email server software you’re using. Assuming that you’re using certbot or a client that uses the same naming scheme for it’s files use:

privkey.pem for the key file

If it asks for chain and cert separately: chain.pem and cert.pem respectively.

Otherwise fullchain.pem for cert.


#3

Could you post a link to a tutorial? This seems a bit to light for me to grasp.


#4

Without knowing what server software you’re using it’s impossible to know which ones are relevant.


#5

I use Linux(Ubuntu - CentOS), RoundCube, imap… What is it that you exactly need to know?


#6

So you have multiple servers with different OS’s on I assume.
What version of Ubuntu / CentOS ?

What software do you use ? Dovecot ? Exim ? something else ?

Do you only use IMAP ? not POP3, SMTP ?

You asked for a tutorial / guidance. so basically @cool110 was asking what your exact setup was ? what versions of software are you using that you want to secure ? what is your mail software ? what is your FTP software etc.


#7

I’m using ProFTPD on Ubuntu Server 14.04 and would also like to have a tutorial. I have instructions for creating, as .pem files, a key and a self-signed cert from https://www.howtoforge.com/tutorial/install-proftpd-with-tls-on-ubuntu-16-04/ I believe I’m going to need to generate a .csr if I’m to use Let’s Encrypt but I’m not sure how to do this. The Certbot site at https://certbot.eff.org/ offers help for only a selection of web servers (I already have certs for my web server) so I’m a bit out at sea here.


#8

You don’t really need a CSR. You’re welcome to use one, but if you don’t have one already it’s not necessary, the software can conjure one anyway.

So, there are two separate elements, firstly you need to get Let’s Encrypt to issue you with certificates for the names you want (public Internet FQDNs for the FTPS server), then you need to configure ProFTPD to provide this certificate to clients when they connect.

Let’s Encrypt only issues certificates to subscribers who can prove they control the names they want on the certificate. You can prove this one of three ways, but for your scenario there are basically two approaches.

One, you could use Certbot’s standalone mode, in which it briefly acts as a web server. It needs for this server to be accessible from the Internet, using the name you want a certificate for, on either port 80 (HTTP) or port 443 (HTTPS). If you can’t or won’t allow access to these web ports from the Internet (after all this is an FTP server) then this is not an option.

If you can open up port 443 for certbot to use, you’ll want something like this to get example.com and ftp.example.com as the names of the server

certbot --standalone -d example.com -d ftp.example.com --standalone-supported-challenges tls-sni-01

If it’s easier with port 80 for whatever reason you need to ask for

certbot --standalone -d example.com -d ftp.example.com --standalone-supported-challenges http-01

Two, you could use the DNS-based clients, for which you need some way to change DNS entries related to the name you control from a program, e.g. via a web API or something. A popular client is https://github.com/Neilpang/acme.sh and they’ve got instructions on that site.


#9

OK, now in terms of configuring ProFTPD, the tutorial for self-signed certs gets you roughly where you need to be, but obviously you’ll need to specify the certificate from Let’s Encrypt and the key used for that. You also may need an extra configuration directive for a “chain”, your self-signed certificate obviously signs itself, but for the Web PKI there’s more than one layer between your certificate and the trusted CA root, the chain has certificates from the root to an intermediate, then from the intermediate to another and so on until it reaches the issuer for your actual certificate (in fact for Let’s Encrypt today there’s just one certificate in the chain, but it could be more some day).

TLSRSACertificateFile      /etc/letsencrypt/live/example.com/cert.pem
TLSRSACertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
TLSCertificateChainFile   /etc/letsencrypt/live/example.com/chain.pem

#10

Thanks very much, tialaramex. I’ve got ProFTPD configuration down and it’s working fine with a self-signed cert (.pem). Your comments, however, about Certbot were helpful. Running anything other than Apache2 on the standard HTTP and HTTPS ports isn’t possible, since Apache2 already uses them, so some other method will have to be used.

Proving domain name ownership/control isn’t a problem since I control DNS for all the names used on my server. I’ve done this before.


#11

Ah, if you have Apache2 running on those ports, is it possible to arrange for it to answer HTTP requests for the names used by the ProFTPD ? If the answer is: Oh, they have the exact same DNS names - you can just use the same certificates as Apache in ProFTPD. Today’s certificates aren’t ever labelled “This is for a web server” but only “This is for a server using TLS” which means they’re fine for a web server, FTP server, IRC server, lots of things. So whether they’re from Let’s Encrypt or a commercial CA, if they have the right DNS names in them they’ll work for ProFTPD.

If it’s the same IP addresses but different DNS names (e.g. ftp.example.com is the same machine as www.example.com, but you don’t answer HTTP requests for ftp.example.com), would it be OK for Apache httpd to answer those names, and serve up only the Let’s Encrypt validation materials? Certbot knows how to arrange that, but I assumed it wouldn’t be relevant because you said this was specifically a FTP server.

The DNS option is great, but not everybody’s control of DNS can be manipulated from a shell script like acme.sh easily (I know mine can’t), so that’s why I’m enthusiastic about the web server based options, but whatever makes sense for you, that’s why Let’s Encrypt has these options.


#12

Hello tialaramex,

I’m using macOS Sierra Server.app to host my site and site’s mail. FTP and other services are scheduled to come soon as I learn more. My question to you is: I can request all the site’s services certificates bundled and use it as a default?

The command I use to generate my certificates is:

'sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/example -d example.tld -d www.example.tld'

However, if I understood you correctly, I could use the following command:

'sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/example -d example.tld -d www.example.tld -d ftp.example.tld -d mail.example.tld -d smtp.example.tld'

Is that correct, or am I all the way out in left field? Thank you kindly

E


#13

You can do this, BUT, all those extra names would need to point to that machine running MacOS Sierra, and the web server component of the Server.app system should answer for all those names, using the pages from that /Library/Server/Web/Data/Sites/example directory in order for this to work.

So for example if you have -d mail.example.com then connecting to http://mail.example.com/ has to result in pages from that directory, in order for this approach to work.

It doesn’t matter whether this site is ever visited by humans or advertised anywhere, but the site has to work because the Let’s Encrypt system will connect to verify your proof of control for each separate name you want on the certificate.

If that’s fine, then yes, you can do this to get one certificate with all the names you want in it (well, up to 100)


#14

In this scenario it might also be easier to use the DNS challenge (given a configuration that can support it); in that case not all of the services would have to point at the requesting machine for verification purposes.


#15

Thank you, I will play with the different pages and see what happens.

Kindly

Edwin


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.