POP3S/SMTPS

Services with postfix and dovecot

Ports

The encrypted port for POP3 is 995 and works over TLS/SSL. port 587 is the standard port for secure SMTP

https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

SMTP servers commonly use the Transmission Control Protocol on port number 25 (for plaintext) and 587 (for encrypted communications).

https://en.wikipedia.org/wiki/Post_Office_Protocol

A POP3 server listens on well-known port number 110 for service requests. Encrypted communication for POP3 is either requested after protocol initiation, using the STLS command, if supported, or by POP3S, which connects to the server using Transport Layer Security (TLS) or Secure Sockets Layer (SSL) on well-known TCP port number 995.

Steps

   1 docker pull debian
   2 docker run -d -it --name debian_pod debian cat
   3 docker exec -it debian_pod bash
   4 cat /etc/os-release
   5 apt update
   6 apt install dovecot-core postfix net-tools vim rsyslog dovecot-pop3d libsasl2-2 sasl2-bin  libsasl2-modules
   7 # 2. Internet Site
   8 # General mail configuration type: 2
   9 # System mail name: example.org
  10 service --status-all
  11 # dovecot pop3s
  12 vim /etc/dovecot/conf.d/10-mail.conf
  13 service dovecot status
  14 service dovecot restart
  15 
  16 netstat -at -n
  17 passwd # define root pwd
  18 adduser anonymous # pwd guest
  19 touch /var/mail/anonymous
  20 chown anonymous:mail /var/mail/anonymous
  21 chmod o-r /var/mail/anonymous
  22 chmod g+rw /var/mail/anonymous
  23 
  24 rsyslogd -v
  25 rsyslogd
  26 cat /var/log/syslog
  27 
  28 vim /etc/default/saslauthd # change START=yes
  29 dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
  30 echo 'pwcheck_method: saslauthd' >  /etc/postfix/sasl/smtpd.conf
  31 usermod -a -G sasl postfix
  32 service saslauthd start
  33 service saslauthd status
  34 
  35 # postfix smtps port 25 and 587
  36 vim /etc/postfix/main.cf
  37 vim /etc/postfix/master.cf
  38 service postfix start
  39 service postfix status

/etc/postfix/main.cf

   1 # TLS parameters
   2 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
   3 smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
   4 smtpd_tls_security_level=may
   5 
   6 smtp_tls_CApath=/etc/ssl/certs
   7 smtp_tls_security_level=may
   8 smtp_tls_session_cache_database=btree:${data_directory}/smtp_scache
   9 myhostname=mail.example.org
  10 mydomain=example.org
  11 smtpd_recipient_restrictions=permit_sasl_authenticated , reject_unauth_destination
  12 relay_domains=
  13 smtpd_sasl_auth_enable=yes
  14 smtpd_sasl_security_options=noanonymous
  15 smtpd_sasl_local_domain=$myhostname
  16 broken_sasl_auth_clients=yes
  17 smtpd_relay_restrictions=permit_sasl_authenticated
  18 home_mailbox=Maildir/
  19 mail_spool_directory=/var/mail
  20 mydestination=$myhostname localhost.$mydomain localhost $mydomain
  21 mynetworks=127.0.0.0/8 10.0.0.0/24

/etc/dovecot/conf.d/10-mail.conf

   1 mail_location = maildir:/home/%u/Maildir
   2 namespace inbox {
   3   inbox = yes
   4 }
   5 mail_privileged_group = mail
   6 protocol !indexer-worker {
   7 }

/etc/postfix/master.cf

   1 smtp      inet  n       -       y       -       -       smtpd
   2 submission inet n       -       y       -       -       smtpd
   3 pickup    unix  n       -       y       60      1       pickup
   4 cleanup   unix  n       -       y       -       0       cleanup
   5 qmgr      unix  n       -       n       300     1       qmgr
   6 tlsmgr    unix  -       -       y       1000?   1       tlsmgr
   7 rewrite   unix  -       -       y       -       -       trivial-rewrite
   8 bounce    unix  -       -       y       -       0       bounce
   9 defer     unix  -       -       y       -       0       bounce
  10 trace     unix  -       -       y       -       0       bounce
  11 verify    unix  -       -       y       -       1       verify
  12 flush     unix  n       -       y       1000?   0       flush
  13 proxymap  unix  -       -       n       -       -       proxymap
  14 proxywrite unix -       -       n       -       1       proxymap
  15 smtp      unix  -       -       y       -       -       smtp
  16 relay     unix  -       -       y       -       -       smtp
  17         -o syslog_name=postfix/$service_name
  18 showq     unix  n       -       y       -       -       showq
  19 error     unix  -       -       y       -       -       error
  20 retry     unix  -       -       y       -       -       error
  21 discard   unix  -       -       y       -       -       discard
  22 local     unix  -       n       n       -       -       local
  23 virtual   unix  -       n       n       -       -       virtual
  24 lmtp      unix  -       -       y       -       -       lmtp
  25 anvil     unix  -       -       y       -       1       anvil
  26 scache    unix  -       -       y       -       1       scache
  27 postlog   unix-dgram n  -       n       -       1       postlogd
  28 maildrop  unix  -       n       n       -       -       pipe
  29   flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
  30 uucp      unix  -       n       n       -       -       pipe
  31   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
  32 ifmail    unix  -       n       n       -       -       pipe
  33   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
  34 bsmtp     unix  -       n       n       -       -       pipe
  35   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
  36 scalemail-backend unix -       n       n       -       2       pipe
  37   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
  38 mailman   unix  -       n       n       -       -       pipe
  39   flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

/etc/default/saslauthd

   1 START=yes
   2 PWDIR="/var/spool/postfix/var/run/saslauthd"
   3 PARAMS="-m ${PWDIR}"
   4 PIDFILE="${PWDIR}/saslauthd.pid"
   5 DESC="SASL Authentication Daemon"
   6 NAME="saslauthd"
   7 MECHANISMS="shadow"
   8 THREADS=5
   9 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Send email

   1 openssl s_client -connect 127.0.0.1:25 -starttls smtp
   2 EHLO test
   3 250-mail.example.org
   4 250-PIPELINING
   5 250-SIZE 10240000
   6 250-VRFY
   7 250-ETRN
   8 250-AUTH SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256 SCRAM-SHA-224 SCRAM-SHA-1 DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN
   9 250-AUTH=SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256 SCRAM-SHA-224 SCRAM-SHA-1 DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN
  10 250-ENHANCEDSTATUSCODES
  11 250-8BITMIME
  12 250-DSN
  13 250 CHUNKING
  14 AUTH LOGIN
  15 334 VXNlcm5hbWU6
  16 YW5vbnltb3Vz
  17 334 UGFzc3dvcmQ6
  18 Z3Vlc3Q=
  19 235 2.7.0 Authentication successful
  20 mail from: root@example.org
  21 250 2.1.0 Ok
  22 rcpt to: anonymous@example.org
  23 250 2.1.5 Ok
  24 data
  25 354 End data with <CR><LF>.<CR><LF>
  26 a2 111222
  27 .
  28 250 2.0.0 Ok: queued as 8AE891694FA
  29 quit

Get message

   1 openssl s_client -connect localhost:995 -ign_eof
   2 +OK Dovecot (Debian) ready.
   3 USER anonymous
   4 +OK
   5 PASS guest
   6 +OK Logged in.
   7 LIST
   8 +OK 1 messages:
   9 1 423
  10 .
  11 +OK 423 octets
  12 Return-Path: <root@example.org>
  13 X-Original-To: anonymous@example.org
  14 Delivered-To: anonymous@example.org
  15 Received: from test (localhost [127.0.0.1])
  16         by mail.example.org (Postfix) with ESMTPSA id AA1A7167F56
  17         for <anonymous@example.org>; Sat, 28 Oct 2023 18:38:10 +0000 (UTC)
  18 Message-Id: <20231028183815.AA1A7167F56@mail.example.org>
  19 Date: Sat, 28 Oct 2023 18:38:10 +0000 (UTC)
  20 From: root@example.org
  21 
  22 a2 111222
  23 .
  24 quit

Send to port 587

   1 openssl s_client -connect 127.0.0.1:587 -starttls smtp
   2 EHLO test
   3 250-mail.example.org
   4 250-PIPELINING
   5 250-SIZE 10240000
   6 250-VRFY
   7 250-ETRN
   8 250-AUTH SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256 SCRAM-SHA-224 SCRAM-SHA-1 DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN
   9 250-AUTH=SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256 SCRAM-SHA-224 SCRAM-SHA-1 DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN
  10 250-ENHANCEDSTATUSCODES
  11 250-8BITMIME
  12 250-DSN
  13 250 CHUNKING
  14 AUTH LOGIN
  15 334 VXNlcm5hbWU6
  16 YW5vbnltb3Vz
  17 334 UGFzc3dvcmQ6
  18 Z3Vlc3Q=
  19 235 2.7.0 Authentication successful
  20 mail from: root@example.org
  21 250 2.1.0 Ok
  22 rcpt to: anonymous@example.org
  23 250 2.1.5 Ok
  24 data
  25 354 End data with <CR><LF>.<CR><LF>
  26 test 1
  27 .
  28 250 2.0.0 Ok: queued as 3823B169398
  29 quit
  30 221 2.0.0 Bye
  31 closed