Per fer us d’un protocol més segur,en el nostre cas openssl ,l’hem instal·lat i creat els certificat d’encriptació
sudo dnf install openssl -ysudo openssl req -new -x509 -days 365 -nodes -out /etc/pki/tls/certs/illa1.crt -keyout /etc/pki/tls/private/illa1.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Barcelona
Locality Name (eg, city) [Default City]:Castellbisbal
Organization Name (eg, company) [Default Company Ltd]:Makrosoft
Organizational Unit Name (eg, section) []:makrosftOU
Common Name (eg, your name or your server's hostname) []:illa1.net
Email Address []:makrosoft.illa1.net
Postfix
en la configuració de dovecot(//etc/postfix/main.cf) editem es següents línies:
- smtpd_tls_security_level = may
- smtpd_tls_cert_file = /etc/pki/tls/certs/illa1.crt(ruta del certificat)
- smtpd_tls_key_file = /etc/pki/tls/private/illa1.key(ruta de la clau)
- smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
Dovecot
en la configuració de dovecot(/etc/dovecot/conf.d/10-ssl.conf) editem es següents línies:
- ssl = required
- ssl_cert = </etc/pki/tls/certs/illa1.crt(ruta del certificat)
- ssl_key = </etc/pki/tls/private/illa1.key(ruta de la clau)
activem els ports del firewall necessaris i reiniciem els serveis
sudo firewall-cmd --permanent --add-service=imaps
sudo firewall-cmd --permanent --add-service=pop3s
sudo firewall-cmd --permanent --add-service=smtps
sudo firewall-cmd --reload
sudo systemctl restart dovecot
sudo systemctl restart postfix
Prova postfix
openssl s_client -starttls smtp -connect localhost:25
Connecting to 127.0.0.1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
verify return:1
---
Certificate chain
0 s:C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
i:C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Jan 15 07:35:29 2026 GMT; NotAfter: Jan 15 07:35:29 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEFzCCAv+gAwIBAgIUaBnLxHyzSd/W+B7uGaBz/sw3K4wwDQYJKoZIhvcNAQEL
BQAwgZoxCzAJBgNVBAYTAkVTMRIwEAYDVQQIDAlCYXJjZWxvbmExFjAUBgNVBAcM
DUNhc3RlbGxiaXNiYWwxEjAQBgNVBAoMCU1ha3Jvc29mdDETMBEGA1UECwwKbWFr
cm9zZnRPVTESMBAGA1UEAwwJaWxsYTEubmV0MSIwIAYJKoZIhvcNAQkBFhNtYWty
b3NvZnQuaWxsYTEubmV0MB4XDTI2MDExNTA3MzUyOVoXDTI3MDExNTA3MzUyOVow
gZoxCzAJBgNVBAYTAkVTMRIwEAYDVQQIDAlCYXJjZWxvbmExFjAUBgNVBAcMDUNh
c3RlbGxiaXNiYWwxEjAQBgNVBAoMCU1ha3Jvc29mdDETMBEGA1UECwwKbWFrcm9z
ZnRPVTESMBAGA1UEAwwJaWxsYTEubmV0MSIwIAYJKoZIhvcNAQkBFhNtYWtyb3Nv
ZnQuaWxsYTEubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1FY
XtA+VMAUe3QcsmgevB1k/k/DG5rhLuqGaXGtScawSA8VPvb06gAmC2O1ejonQUzb
wd2Bwwtcc0B+c1YEBAtfDi6SYNsXBuRSRdrp2Xw8erTYMbJNKhEauxEi6+hRH2X6
MyFSyGepvgs4xPXZQX13YF72uFF0jGP3BtZpYs1bHjmjBfkMEP/6JAh05r+x2xH8
E6dSyUjDcX/TeZ84KKKKjcHo8pGaYrv6RtvEOfe9EEyeKTQ0kHO1k/V0TLoPAab9
D/f6PO4080QZyhOt1I9ImuT7dPZcCqHi2yCWV3pHDfTC8/26UZF5AG2BLv73nS6H
5t9NvYsryzsiub2zrQIDAQABo1MwUTAdBgNVHQ4EFgQUfq2bN8ZOVZ4KCma2veCV
S4O+Gx8wHwYDVR0jBBgwFoAUfq2bN8ZOVZ4KCma2veCVS4O+Gx8wDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAN3HcRoAA/a2bMe8NW90Zyd0ZyjYz
gtyg7oGa6Qqv91o78V2dkRlEqUUvs2A1yNYZhtRcKWN2AncDddNoAEc4T1kJQKBK
Q+6OneA48cs0ppsirrtmHsTaD4uKQAnGVNrI6+K1MuVEKk56TTgwgCJaaM3lnC/r
KHChasIz9UiN4yGA7myjEP8R8XITJ9zc2iA3ePHLanaH/S6l36WH5SKGI/r2oemM
hJ7hDgzoqrEnLiwrdgAgnxFFPMe0YGDPD/Is2svgCpvLQu1ktsBgsCViqkio8un+
vrL8SlK/3uhQW8hEmBBY2HZ1HseLK6xe2K9Z2HQovWT8lLFsxa9+RgP3fQ==
-----END CERTIFICATE-----
subject=C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
issuer=C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: X25519, 253 bits
---
SSL handshake has read 1836 bytes and written 418 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: D985905C42B6999E65EE5ACB148025BE3AC5595401FCDD5F3D135044865EEF6B
Session-ID-ctx:
Resumption PSK: 078191833D1987CBE6B0B15FA6FF6F0BAC4ABF02E3F322254F9CB4CC05CACA8EDE59C5D432810060C750371D1EB39BBC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 6d 59 e8 35 e6 94 1d c1-91 cf e9 2f 22 cb 54 c3 mY.5......./".T.
0010 - c4 95 6a 40 c3 d6 3c 86-2f a4 6e 30 bf 4d fe e2 ..j@..<./.n0.M..
0020 - 9e 18 e9 c2 f6 b3 1e a4-9d be 86 d0 fd 2b 89 e8 .............+..
0030 - b6 30 86 ac 56 2b 75 8c-61 ee 77 70 2b f6 3a b6 .0..V+u.a.wp+.:.
0040 - 08 20 83 c3 03 e5 76 8d-5e ed 8b 5b ee 79 9a 24 . ....v.^..[.y.$
0050 - d4 98 31 8e 7e 81 e3 d4-07 23 a8 60 1a ff a1 75 ..1.~....#.`...u
0060 - a1 1e 60 5d 74 98 c0 83-33 58 9c 9f c4 79 1f bc ..`]t...3X...y..
0070 - d5 da 0d dd e6 ad 67 b5-78 dd 29 8b 0e 57 ab e5 ......g.x.)..W..
0080 - 14 e0 8a c9 6f b7 2a c4-57 65 91 a0 1b 5e 2a 07 ....o.*.We...^*.
0090 - d5 9d ed a4 ce dc 4e f5-40 04 91 3b 14 64 c2 ad ......N.@..;.d..
00a0 - d7 36 73 65 e3 7b e5 5e-0b 4f 1c b2 e9 e9 39 8d .6se.{.^.O....9.
00b0 - 03 2b 20 e2 b8 b2 fc ea-a6 9d 19 b4 54 5c 91 90 .+ .........T\..
00c0 - c7 70 b6 6c 85 d5 bd ce-c0 f3 1d de 2a 7c b9 83 .p.l........*|..
Start Time: 1768464944
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
El 250 de la línia 64 significa que ha funcionat sense errors
Prova dovecot
openssl s_client -connect localhost:993
Connecting to ::1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
verify return:1
---
Certificate chain
0 s:C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
i:C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Jan 15 07:35:29 2026 GMT; NotAfter: Jan 15 07:35:29 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEFzCCAv+gAwIBAgIUaBnLxHyzSd/W+B7uGaBz/sw3K4wwDQYJKoZIhvcNAQEL
BQAwgZoxCzAJBgNVBAYTAkVTMRIwEAYDVQQIDAlCYXJjZWxvbmExFjAUBgNVBAcM
DUNhc3RlbGxiaXNiYWwxEjAQBgNVBAoMCU1ha3Jvc29mdDETMBEGA1UECwwKbWFr
cm9zZnRPVTESMBAGA1UEAwwJaWxsYTEubmV0MSIwIAYJKoZIhvcNAQkBFhNtYWty
b3NvZnQuaWxsYTEubmV0MB4XDTI2MDExNTA3MzUyOVoXDTI3MDExNTA3MzUyOVow
gZoxCzAJBgNVBAYTAkVTMRIwEAYDVQQIDAlCYXJjZWxvbmExFjAUBgNVBAcMDUNh
c3RlbGxiaXNiYWwxEjAQBgNVBAoMCU1ha3Jvc29mdDETMBEGA1UECwwKbWFrcm9z
ZnRPVTESMBAGA1UEAwwJaWxsYTEubmV0MSIwIAYJKoZIhvcNAQkBFhNtYWtyb3Nv
ZnQuaWxsYTEubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1FY
XtA+VMAUe3QcsmgevB1k/k/DG5rhLuqGaXGtScawSA8VPvb06gAmC2O1ejonQUzb
wd2Bwwtcc0B+c1YEBAtfDi6SYNsXBuRSRdrp2Xw8erTYMbJNKhEauxEi6+hRH2X6
MyFSyGepvgs4xPXZQX13YF72uFF0jGP3BtZpYs1bHjmjBfkMEP/6JAh05r+x2xH8
E6dSyUjDcX/TeZ84KKKKjcHo8pGaYrv6RtvEOfe9EEyeKTQ0kHO1k/V0TLoPAab9
D/f6PO4080QZyhOt1I9ImuT7dPZcCqHi2yCWV3pHDfTC8/26UZF5AG2BLv73nS6H
5t9NvYsryzsiub2zrQIDAQABo1MwUTAdBgNVHQ4EFgQUfq2bN8ZOVZ4KCma2veCV
S4O+Gx8wHwYDVR0jBBgwFoAUfq2bN8ZOVZ4KCma2veCVS4O+Gx8wDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAN3HcRoAA/a2bMe8NW90Zyd0ZyjYz
gtyg7oGa6Qqv91o78V2dkRlEqUUvs2A1yNYZhtRcKWN2AncDddNoAEc4T1kJQKBK
Q+6OneA48cs0ppsirrtmHsTaD4uKQAnGVNrI6+K1MuVEKk56TTgwgCJaaM3lnC/r
KHChasIz9UiN4yGA7myjEP8R8XITJ9zc2iA3ePHLanaH/S6l36WH5SKGI/r2oemM
hJ7hDgzoqrEnLiwrdgAgnxFFPMe0YGDPD/Is2svgCpvLQu1ktsBgsCViqkio8un+
vrL8SlK/3uhQW8hEmBBY2HZ1HseLK6xe2K9Z2HQovWT8lLFsxa9+RgP3fQ==
-----END CERTIFICATE-----
subject=C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
issuer=C=ES, ST=Barcelona, L=Castellbisbal, O=Makrosoft, OU=makrosftOU, CN=illa1.net, emailAddress=makrosoft.illa1.net
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: X25519, 253 bits
---
SSL handshake has read 1607 bytes and written 385 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 42924E2BCD3752E33930758A83AAB9F051F1FB4D4EC0C04A2ECF82BCDB605298
Session-ID-ctx:
Resumption PSK: 1FF9CF585BC4BAB47A71E43B40BFA78EB862EE93F9E00AFED932730089A05524E80D4E7293BEB679630BE275B85F8DCD
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 2b 73 fd de e8 46 91 fe-93 2b f3 06 52 fb bf 5a +s...F...+..R..Z
0010 - 61 9c 46 f1 e7 56 fc 91-16 9a 48 e8 ad 74 25 40 a.F..V....H..t%@
0020 - 4f 0a d6 c4 8d 3d a6 83-2c 24 4d df 1b 68 21 dc O....=..,$M..h!.
0030 - af 25 93 3e 72 0e b8 28-d4 48 ed 5b b3 a8 57 56 .%.>r..(.H.[..WV
0040 - f3 7e 57 ea a5 3c 2d c6-b2 26 50 8e 33 71 6c 6c .~W..<-..&P.3qll
0050 - 83 c2 30 a5 cb ff 57 f3-75 9f dd 49 ad 59 e7 ec ..0...W.u..I.Y..
0060 - bc ea 9e 3d 71 f6 7a f1-5b 5f 78 fc fb 26 4d b4 ...=q.z.[_x..&M.
0070 - c0 df 2e 9c 04 66 02 bf-8d 5e ef 6d e7 f2 24 29 .....f...^.m..$)
0080 - 8c 05 e3 fa ee 3b 3d 77-9a c8 14 cb bc bd 74 ea .....;=w......t.
0090 - ee 19 ab 8d e1 16 7f 27-3a 6a b7 d9 ea ed 9b e5 .......':j......
00a0 - e2 61 be 95 95 70 98 fa-cc e6 1a f0 89 83 53 a4 .a...p........S.
00b0 - 6a a0 e8 c5 65 97 d5 ae-fb 89 7b fd 98 cb 82 06 j...e.....{.....
00c0 - a8 97 7c 3d 3f bf a1 f4-fd af 1c 20 c7 e3 55 b6 ..|=?...... ..U.
Start Time: 1768464647
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 9A3B0048EE3403408194031BB031AEC82E1CDBC4D44C1120A5F965196D47B1AB
Session-ID-ctx:
Resumption PSK: 98D38BDECD9658EDF7CA2D898FE650C534FB2052DD470505C7B3F681E14356A8D36DE69C6AADC0EE5B38E2F0A3DE4B74
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 2b 73 fd de e8 46 91 fe-93 2b f3 06 52 fb bf 5a +s...F...+..R..Z
0010 - 64 45 a7 06 fc 8b 29 96-e9 65 c9 a9 6c e7 59 00 dE....)..e..l.Y.
0020 - b5 c6 19 ec 87 8f 89 dd-cd 4e fb 0d a6 c8 a4 f4 .........N......
0030 - e2 ba 2c 3d 07 26 30 91-08 d7 de 03 6a 0b 9f 17 ..,=.&0.....j...
0040 - 0b 16 36 18 4f c3 91 f4-b5 0a 9b 69 21 f9 6a 99 ..6.O......i!.j.
0050 - 27 45 34 ad f7 fd 3d 88-ee 05 61 ba 9f da 5a b0 'E4...=...a...Z.
0060 - ed 5c e5 9b 35 17 32 4e-22 47 26 23 dc 80 5f 26 .\..5.2N"G&#.._&
0070 - 3e 31 a0 84 f1 1b 6b dd-dc df 57 c7 3a 3d 40 84 >1....k...W.:=@.
0080 - a8 3b 39 2b cf e0 86 cd-a6 7f e2 31 aa 06 1c 36 .;9+.......1...6
0090 - 10 3b 57 e2 c3 74 d9 ce-db f4 7d 1f 32 d5 00 9a .;W..t....}.2...
00a0 - a0 0a 07 a0 92 97 b2 66-e7 d1 73 ab 92 5e fc dc .......f..s..^..
00b0 - a0 e1 e3 0f f8 ce 85 d0-0d 8f 70 73 6b c7 46 0a ..........psk.F.
00c0 - df 1c 70 db 69 ef 67 5c-39 16 40 ee d6 f3 db 84 ..p.i.g\9.@.....
Start Time: 1768464647
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot ready.En el final diu que dovecot ja està llest