From bca3a8ca2d712d8721390d53279ff5113997138c Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sat, 15 Oct 2022 14:43:18 +0200
Subject: [PATCH] [dovecot] Secure connections with TLS.

TLS connections need to be secured with SSL certificates. `dovecot`
generates self-signed SSL certificates. This commit switches `dovecot`
and `postfix` to SSL certificates signed by Let's Encrypt CA.
---
 dovecot/10-ssl.conf |  6 +++---
 dovecot/README      | 26 ++++++++++++++++++++++++++
 postfix/main.cf     | 10 ++++++++++
 3 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/dovecot/10-ssl.conf b/dovecot/10-ssl.conf
index fff8bf8..4dc0566 100644
--- a/dovecot/10-ssl.conf
+++ b/dovecot/10-ssl.conf
@@ -3,14 +3,14 @@
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-ssl = yes
+ssl = required
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/private/dovecot.pem
-ssl_key = </etc/dovecot/private/dovecot.key
+ssl_cert = <${mail_ssl_cert_dir}/fullchain.pem
+ssl_key = <${mail_ssl_cert_dir}/privkey.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
diff --git a/dovecot/README b/dovecot/README
index 59a39df..5e6f544 100644
--- a/dovecot/README
+++ b/dovecot/README
@@ -42,6 +42,32 @@ dovecot
 |-> auth-static.conf.ext        -- /etc/dovecot/conf.d/
 `-> auth-system.conf.ext        -- /etc/dovecot/conf.d/
 
+SSL
+---
+
+Add DNS records. If no MX record is present, mail servers fall back to the A
+record (see https://serverfault.com/a/470651).
+
+```
+example.com.      0 A       <ipv4_address>
+example.com.      0 AAAA    <ipv6_address>
+example.com.      0 MX    0 mail.example.com
+mail.example.com. 0 CNAME   example.com.
+```
+
+Install `certbot`.
+
+```
+$ apt install certbot
+```
+
+Create a certificate with a generic name and add all domains under it.
+
+```
+$ certbot certonly --manual --preferred-challenges dns --cert-name mail \
+    -d mail.<domain1> -d mail.<domain2>
+```
+
 Install
 -------
 
diff --git a/postfix/main.cf b/postfix/main.cf
index 449a3bf..0e7c03d 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -14,3 +14,13 @@ readme_directory = no
 # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
 # fresh installs.
 compatibility_level = 2
+
+# TLS
+smtp_tls_cert_file = ${mail_ssl_cert_dir}/fullchain.pem
+smtp_tls_key_file = ${mail_ssl_cert_dir}/privkey.pem
+smtp_tls_security_level = encrypt
+smtpd_tls_auth_only = yes
+smtpd_tls_cert_file = ${mail_ssl_cert_dir}/fullchain.pem
+smtpd_tls_key_file = ${mail_ssl_cert_dir}/privkey.pem
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_security_level = encrypt
-- 
2.39.5