I’ve got a public mail server used by 100 customers running Centos 5 in a virtual environment with new hardware (migrated from an old hardware in 2014).
I would like to increase security configuring SSL for sendmail and pop with less downtime.
What do you think about possibility to secure this old mail server? Is it a good idea?
Or in your opinion the better choice is to install a new server?
What about certificate? Do I need to buy it or can i use a self-signed certificate (mail client like Outlook, Thunderbird, Mail (Mac and iPhone) or android client will display that certificate is not secure) ?
Is it possible to leave available both (secure and non-secure) authentication for clients? I need to inform customer about this but only someone knows how to change account settings.
Thanks a lot for you help.
Are you actually using Sendmail there, or are you using the default Postfix?
If you’re using Postfix and Dovecot, it’s actually quite simple to set them up for SSL from within Virtualmin.
You can do that by first enabling SSL for a Virtual Server, and then go into Server Configuration -> Manage SSL Certificates, and there, click the “Copy to Dovecot” and “Copy to Postfix” buttons.
I’m running Sendmail there…
none can suggest me something about Sendmail?
Sendmail is also well supported by Virtualmin (Jamie still uses Sendmail on his servers, I think, or did for many years). You may be able to just turn SSL on in the Sendmail module in Webmin. Try it, and ask specific questions when you can’t make it work!
As for certificates, for mail clients you really need one that validates properly, if the server is used by a lot of people; self-signed certificates make some mail applications fail without offering an option to accept the self-signed certificate.
You can use Let’s Encrypt to get a free certificate, which is supported in the most recent Virtualmin version, but, for now this is only easy on very new distributions (the Let’s Encrypt ACME client has an absurdly long and recent dependency list, making it almost impossible to get running on anything older than the latest distros). We’re working on supporting less demanding ACME clients that will run nicely on older distrbutions, but it’ll be a week or two, most likely, as Jamie is busy with a lot of other stuff lately.
Dovecot is the POP/IMAP server, and it is configured to enable IMAPS and POP3S, by default during the installation of Virtualmin, but can also be turned on after the fact. There’s docs on SSL in Dovecot here: http://doxfer.webmin.com/Webmin/Dovecot_IMAP/POP3_Server#SSL_Configuration