Servidor de Correo para Roundcube

SERVIDOR CON EXIM

Antes de proceder deben ajustarse algunos parámetros del sistema:

#> apt-get remove sendmail

#> echo “pruebas.mayaguaray.cenditel.gob.ve” > /etc/mailname

#> echo “172.22.9.49 pruebas.mayaguaray.cenditel.gob.ve” >> /etc/hosts

1. Instalar los siguientes software:

#>apt-get install exim4 exim4-config exim4-daemon-heavy dovecot-imapd dovecot-psql

2. Agregar los siguientes parámetros de conexión con dovecot en “/etc/exim4/conf.d/auth/30_exim4-config_examples”:

#############################

## Autenticacion de Dovecot #####

#############################

dovecot_login:

driver = dovecot

public_name = LOGIN

server_socket = /var/run/dovecot/auth-client

server_set_id = $auth1

dovecot_plain:

driver = dovecot

public_name = PLAIN

server_socket = /var/run/dovecot/auth-client

server_set_id = $auth1

3. Reconfigurar el exim4:

#> dpkg-reconfigure exim4-config

Cuadros de dialogo de configuración:

• Configura un sitio Internet:

	Internet site; el correo se envía y recibe directamente usando SMTP

• Nombre del sistema de correo:
  pruebas.mayaguaray.cenditel.gob.ve
  

• Direcciones IP en las que recibir conexiones SMTP entrantes:

172.22.9.49

• Otros destinos para los que se acepta el correo: 
  pruebas.mayaguaray.cenditel.gob.ve;pruebas-mail.mayaguaray.cenditel.gob.ve;localhost
  

• Dominios para los que se reenvía correo:
  <En blanco>
  

• Máquinas para las cuales reenviar correo:

  	<En blanco>
	Nota: 172.22.9.0/24 (Permite que solo las maquinas que están en esa red puedan enviar correos desde cualquier usuario a cualquier destino, deteniendo el open relay)

• ¿Limitar el número de consultas de DNS (marcación bajo demanda)?  
  <No>

• Mecanismo de entrega para el correo local:
  Formato Maildir en el directorio personal.
  

• ¿Dividir la configuración en pequeños ficheros? 
  <Si>

4. Crear el archivo 30_exim4-config_dovecot en “/etc/exim4/conf.d/transport/30_exim4-config_dovecot” con las siguientes lineas:

### transport/30_exim4-config_dovecot

#################################

dovecot_delivery:

driver = appendfile

maildir_format = true

directory = /var/spool/mail/$domain/$local_part

#directory = /var/vmail/%u

create_directory = true

directory_mode = 0770

mode_fail_narrower = false

message_prefix =

message_suffix =

delivery_date_add

envelope_to_add

return_path_add

user = mail

group = mail

mode = 0660

5. Conexión de exim con LDAP, crear el archivo en “/etc/exim4/conf.d/main/04_exim4-config_ldap” con las siguientes lineas:

# Configuration for LDAP email aliases

ldap_default_servers = correosur-ldap.cenditel.gob.ve

LDAPUSER = cn=admin,dc=correosur,dc=cenditel

LDAPPASS = 1234567890

LDAPSEARCHBASE = dc=correosur,dc=cenditel

5. Conexión de exim con LDAP, crear el archivo en “/etc/exim4/conf.d/router/450_exim4-config_ldap_aliases” con las siguientes lineas:

### router/450_exim4-config_ldap_aliases

### Conexion con ldap

ldap_aliases:

debug_print = “R: ldap_aliases LDAP lookup for $local_part@$domain”

driver = redirect

domains = +local_domains

condition = ${lookup ldap {user=LDAPUSER pass=LDAPPASS ldap:///LDAPSEARCHBASE?mail?sub?(otherMailbox=*${quote_ldap:$local_part@$domain}*)}}

data = ${lookup ldap {user=LDAPUSER pass=LDAPPASS ldap:///LDAPSEARCHBASE}}

5. Verificación del ruteo de direcciones de correo electrónico:

#> exim4 -bt <email address or alias>

#> exim4 -bt admin

Resultado

R: system_aliases for admin@pruebas.mayaguaray.cenditel.gob.ve

R: ldap_aliases LDAP lookup for admin@pruebas.mayaguaray.cenditel.gob.ve

R: userforward for admin@pruebas.mayaguaray.cenditel.gob.ve

R: procmail for admin@pruebas.mayaguaray.cenditel.gob.ve

R: maildrop for admin@pruebas.mayaguaray.cenditel.gob.ve

R: lowuid_aliases for admin@pruebas.mayaguaray.cenditel.gob.ve (UID 1007)

R: local_user for admin@pruebas.mayaguaray.cenditel.gob.ve

admin@pruebas.mayaguaray.cenditel.gob.ve

router = local_user, transport = maildir_home

5. Lista negra DNS (DNSBL)

   1. Edita el archivo /etc/exim4/conf.d/main/02_exim4-config_options y al final del archivo agrega:

CHECK_RCPT_IP_DNSBLS = zen.spamhaus.org : bl.spamcop.net : cbl.abuseat.org : sbl-xbl.spamhaus.org : psbl.surriel.com : b.barracudacentral.org : dul.dnsbl.sorbs.net : spamsources.fabel.dk

1. Edita el archivo /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt y modifica:

warn

dnslists = CHECK_RCPT_IP_DNSBLS

add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)

log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)

.endif

por:

drop

dnslists = CHECK_RCPT_IP_DNSBLS

add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)

log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)

.endif

drop

CHECK_RCPT_IP_DNSBLS = zen.spamhaus.org : bl.spamcop.net : cbl.abuseat.org : sbl-xbl.spamhaus.org : psbl.surriel.com : b.barracudacentral.org : dul.dnsbl.sorbs.net : spamsources.fabel.dk

dnslists = CHECK_RCPT_IP_DNSBLS

add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)

log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)

.endif

5. Autenticación con TLS

   1. Edita /etc/exim4/conf.d/main/03_exim4-config_tlsoptions y agrega la línea, al inicio del archivo,

MAIN_TLS_ENABLE = 1

tls_on_connect_ports = 465

1. Generar un certificado de seguridad, por ejemplo,

#> /usr/share/doc/exim4-base/examples/exim-gencert

Resultado:

Country Code (2 letters) [US]:VE

State or Province Name (full name) []:MERIDA

Locality Name (eg, city) []:MERIDA

Organization Name (eg, company; recommended) []:CENDITEL

Organizational Unit Name (eg, section) []:CENDITEL

Server name (eg. ssl.domain.tld; required!!!) []:pruebas-mail.mayaguaray.cenditel.gob.ve

Email Address []:lcolina@cenditel.gob.ve

[*] Done generating self signed certificates for exim!

Refer to the documentation and example configuration files

over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS

support in your mail transfer agent.

Los archivos exim.crt y exim.key son guardados en /etc/exim4. El certificados es válido por tres años. Si deseas cambiar el tiempo de validez, edita /usr/share/doc/exim4-base/examples/exim-gencert y modifica la variable DAYS, por ejemplo, DAYS=3652

(diez años). Genera nuevamente el certificado.

3. Actualiza la configuración de Exim y reinicia exim:

#> update-exim4.conf

#> systemctl restart exim4

4. Edita /etc/default/exim4 y modifica,

SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'

5. Prueba STARTTLS:

#> telnet pruebas.mayaguaray.cenditel.gob.ve 25

Resultado:

Trying 172.22.9.49…

Connected to pruebas.mayaguaray.cenditel.gob.ve.

Escape character is ‘^]’.

220 cenditel09-0030.cenditel ESMTP Exim 4.84_2 Wed, 03 Aug 2016 12:15:45 -0400

EHLO pruebas.mayaguaray.cenditel.gob.ve

250-cenditel09-0030.cenditel Hello pruebas.mayaguaray.cenditel.gob.ve [172.22.9.49]

250-SIZE 52428800

250-8BITMIME

250-PIPELINING

250-AUTH LOGIN PLAIN

250-STARTTLS

250 HELP

STARTTLS

220 TLS go ahead

#> swaks -a -ssl -p 25 -q AUTH -s pruebas.mayaguaray.cenditel.gob.ve -au admin1

Resultado:

=== Trying pruebas.mayaguaray.cenditel.gob.ve:25…

=== Connected to pruebas.mayaguaray.cenditel.gob.ve.

<- 220 cenditel09-0030.cenditel ESMTP Exim 4.84_2 Mon, 08 Aug 2016 12:37:18 -0400

-> EHLO cenditel09-0030.cenditel

<- 250-cenditel09-0030.cenditel Hello pruebas.mayaguaray.cenditel.gob.ve [172.22.9.49]

<- 250-SIZE 52428800

<- 250-8BITMIME

<- 250-PIPELINING

<- 250-AUTH LOGIN PLAIN

<- 250-STARTTLS

<- 250 HELP

-> AUTH LOGIN

<- 334 VXNlcm5hbWU6

-> YWRtaW4x

<- 334 UGFzc3dvcmQ6

-> YWRtaW4x

<- 235 Authentication succeeded

-> QUIT

<- 221 cenditel09-0030.cenditel closing connection

=== Connection closed with remote host.

6. Prueba de autenticación TLS:

#> swaks -a -tls -q AUTH -s pruebas.mayaguaray.cenditel.gob.ve -au admin1

Resultado:
=== Trying pruebas.mayaguaray.cenditel.gob.ve:25...
=== Connected to pruebas.mayaguaray.cenditel.gob.ve.
<-  220 cenditel09-0030.cenditel ESMTP Exim 4.84_2 Wed, 03 Aug 2016 12:20:39 -0400
 -> EHLO cenditel09-0030.cenditel
<-  250-cenditel09-0030.cenditel Hello pruebas.mayaguaray.cenditel.gob.ve [172.22.9.49]
<-  250-SIZE 52428800
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-AUTH LOGIN PLAIN
<-  250-STARTTLS
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/C=VE/ST=MERIDA/L=MERIDA/O=CENDITEL/OU=CENDITEL/CN=pruebas-mail.mayaguaray.cenditel.gob.ve/emailAddress=lcolina@cenditel.gob.ve"
 ~> EHLO cenditel09-0030.cenditel
<~  250-cenditel09-0030.cenditel Hello pruebas.mayaguaray.cenditel.gob.ve [172.22.9.49]
<~  250-SIZE 52428800
<~  250-8BITMIME
<~  250-PIPELINING
<~  250-AUTH LOGIN PLAIN
<~  250 HELP
 ~> AUTH LOGIN
<~  334 VXNlcm5hbWU6
 ~> YWRtaW4x
<~  334 UGFzc3dvcmQ6
 ~> YWRtaW4x
<~  235 Authentication succeeded
 ~> QUIT
<~  221 cenditel09-0030.cenditel closing connection
=== Connection closed with remote host.

#> openssl s_client -connect pruebas.mayaguaray.cenditel.gob.ve:25 -starttls smtp -verify 5 -CAfile /etc/exim4/exim.crt

Resultado:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 13F9EF33D3F39DD72EF42A51DB3E6615722B4CB5F494B781189E1EFB1EECFCC8
    Session-ID-ctx: 
    Master-Key: 88DF82AC74E852E8B84B4C17CE64A9BD8ACB6E39A52BA127126B0092C70F9FE3F7DEB1D9B876CDF96D50698ADFF04083
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1470240806
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 HELP

5. Instalación de spamassassin:

   1. Instala los paquetes spamassassin y spamc,

#> apt-get install spamassassin spamc dovecot-antispam dovecot-sieve

2. Edita /etc/default/spamassassin y modifica la variable ENABLED a,

ENABLED=0

3. Modifica también la variable CRON a,

CRON=1
	

4. Instala el paquete sa-exim,

#> apt-get install sa-exim

5. Edita /etc/exim4/sa-exim.conf y comenta la línea,

#SAEximRunCond: 0

6. Actualiza la configuración de Exim,

#> update-exim4.conf

7. Reinicia exim4,

#> systemctl restart exim4

8. Activar spamassassin

#> systemctl enable spamassassin.service

9. Iniciar spamassassin

#> systemctl start spamassassin.service

10. Modificar si es necesario /etc/exim4/exim4.conf.template a

# For spam scanning, there is a similar option that defines the interface to
# SpamAssassin. You do not need to set this if you are using the default, which
# is shown in this commented example. As for virus scanning, you must also
# modify the acl_check_data access control list to enable spam scanning.

# spamd_address = 127.0.0.1 783

11. Modificar /etc/exim4/conf.d/acl/acl_check_data en la sección de las cabeceras de spam:

### acl/40_exim4-config_check_data
#################################

# This ACL is used after the contents of a message have been received. This
# is the ACL in which you can test a message's headers or body, and in
# particular, this is where you can invoke external virus or spam scanners.

acl_check_data:
...
...
...
# See the exim docs and the exim wiki for more suitable examples.
#
# warn
#   spam = Debian-exim:true
#   add_header = X-Spam_score: $spam_score\n\
#             X-Spam_score_int: $spam_score_int\n\
#             X-Spam_bar: $spam_bar\n\
#             X-Spam_report: $spam_report

# put headers in all messages (no matter if spam or not)
 warn  spam = nobody:true
     add_header = X-Spam-Score: $spam_score ($spam_bar)
     add_header = X-Spam-Report: $spam_report

# add second subject line with *SPAM* marker when message
# is over threshold
  warn  spam = nobody
      add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:
  deny
    message = This message scored $spam_score spam points.
    spam = nobody
    condition = ${if >{$spam_score_int}{76}{1}{0}}

12. Prueba de spam:

# telnet pruebas.mayaguaray.cenditel.gob.ve 25

Resultado:

Trying 172.22.9.49…

Connected to pruebas.mayaguaray.cenditel.gob.ve.

Escape character is ‘^]’.

220 cenditel09-0030.cenditel ESMTP Exim 4.84_2 Tue, 02 Aug 2016 12:24:25 -0400

ehlo pruebas.mayaguaray.cenditel.gob.ve

250-cenditel09-0030.cenditel Hello pruebas.mayaguaray.cenditel.gob.ve [172.22.9.49]

250-SIZE 52428800

250-8BITMIME

250-PIPELINING

250-AUTH LOGIN PLAIN

250-STARTTLS

250 HELP

MAIL FROM: <admin1@pruebas.mayaguaray.cenditel.gob.ve>

250 OK

RCPT TO: <admin1@pruebas.mayaguaray.cenditel.gob.ve>

250 Accepted

DATA

354 Enter message, ending with “.” on a line by itself

Subject: test

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

.

550 This message scored 999.0 spam points.

Nota: Un error se puede presentar debido al sa-update con el nombre de dominio, el cual se encontraba en hexadecimal se debe corregir en /etc/resolv.conf y arrancar el servicio. Igualmente el sa-compile no queda totalmente instalado por falta de memoria, por tal motivo se debe estar pendiente para compilar todo el spamassassin.

13. Configuración de procmail y dovecot. La entrega será el primer intento y luego por defecto será la copia de seguridad. Luego de spam de correo y entregar, por ejemplo,

DELIVER=”/usr/lib/dovecot/deliver -d $LOGNAME”

LOGFILE=”/var/log/procmail.log”

DEFAULT=”$HOME/Maildir/”

MAILDIR=”$HOME/Maildir/”

# deliver spam to spam folder

:0 w

* ^X-Spam-Status: Yes

| $DELIVER -m $MAILDIR/.Spam

# deliver to INBOX and stop

:0 w

| $DELIVER

SERVIDOR IMAP/POP3

1. Instalar los siguientes paquetes:

#> apt-get install dovecot-imapd dovecot-psql dovecot-ldap

1. Crear un enlace simbólico

#> ln -s /etc/dovecot/dovecot-ldap.conf.ext dovecot-ldap-userdb.conf.ext

2. Agregar la siguiente configuración en el archivo /etc/dovecot/dovecot-ldap.conf.ext para la conexión al servicio ldap:

hosts = correosur-ldap.cenditel.gob.ve

dn = cn=admin,dc=correosur,dc=cenditel

dnpass = 1234567890

debug_level = -1

auth_bind = no

auth_bind_userdn = cn=%u,ou=usuarios,dc=correosur,dc=cenditel

ldap_version = 3

base = ou=usuarios,dc=correosur,dc=cenditel

user_attrs = uid=uid,gidNumber=uid

user_filter = (uid=%u)

pass_attrs = uid=%u,userPassword=password

pass_filter = (uid=%u)

default_pass_scheme = SSHA

4. Cambiar la siguiente linea en /etc/dovecot/dovecot-dict-auth.conf.ext

default_pass_scheme = SSHA

5. Modificar el archivo /etc/dovecot/10-mail.conf:

mail_location = maildir:/home/%u/Maildir

6. Modificar el archivo /etc/dovecot/10-master.conf:

service auth {

# auth_socket_path points to this userdb socket by default. It’s typically

# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have

# full permissions to this socket are able to get a list of all usernames and

# get the results of everyone’s userdb lookups.

#

# The default 0666 mode allows anyone to connect to the socket, but the

# userdb lookups will succeed only if the userdb returns an “uid” field that

# matches the caller process’s UID. Also if caller’s uid or gid matches the

# socket’s uid or gid the lookup succeeds. Anything else causes a failure.

#

# To give the caller full permissions to lookup all users, set the mode to

# something else than 0666 and Dovecot lets the kernel enforce the

# permissions (e.g. 0777 allows everyone full permissions).

unix_listener auth-userdb {

#mode = 0666

#user =

#group =

}

# SE AGREGO ESTO

############

# usa exim #

# ##########

unix_listener auth-client {

mode = 0660

user = Debian-exim

}

7. Modificar el archivo /etc/dovecot/auth-ldap.conf.ext:

passdb {

driver = ldap

# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext

args = /etc/dovecot/dovecot-ldap.conf.ext

}

# “prefetch” user database means that the passdb already provided the

# needed information and there’s no need to do a separate userdb lookup.

# <doc/wiki/UserDatabase.Prefetch.txt>

#userdb {

# driver = prefetch

#}

userdb {

driver = ldap

args = /etc/dovecot/dovecot-ldap-userdb.conf.ext

# Default fields can be used to specify defaults that LDAP may override

# default_fields = home=/home/virtual/%u

#default_fields = home=/var/vmail/%u uid=vmail gid=vmail

}

# If you don’t have any user-specific settings, you can avoid the userdb LDAP

# lookup by using userdb static instead of userdb ldap, for example:

# <doc/wiki/UserDatabase.Static.txt>

#userdb {

#driver = static

#args = uid=vmail gid=vmail home=/var/vmail/%u

#}

8. En el archivo /etc/dovecot/10-auth.conf activar y desactivar lo siguientes parámetros:

# Disable LOGIN command and all other plaintext authentications unless

# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP

# matches the local IP (ie. you’re connecting from the same computer), the

# connection is considered secure and plaintext authentication is allowed.

# See also ssl=required setting.

disable_plaintext_auth = yes

.

.

.

!include auth-ldap.conf.ext

#!include auth-passwdfile.conf.ext

Nota: Si no se desactiva #!include auth-passwdfile.conf.ext se tiene que crear un archivo llamado /etc/dovecot/users con los datos de los usuarios:

eparedes:{PLAIN}password:1001:8::/home/eparedes::userdb_mail=maildir:~/Maildir:allow_nets=192.168.0.0/24

9. Activación de soporte SSL/TLS en dovecot

   1. Convertir los certificados que fueron creados para Exim4 a formato .pem:

#> cat exim.key exim.crt > dovecot.pem

ó

#> cat exim.key > dovecot.pem

#> mkdir /etc/dovecot/certs/

#> cp dovecot.pem /etc/dovecot/certs/

#> openssl x509 -in exim.crt -out localhost.pem

#> cp dovecot.pem /etc/dovecot/private/

2. Edite el archivo /etc/dovecot/conf.d/10-ssl.conf:

#> vim /etc/dovecot/conf.d/10-ssl.conf

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dovecot/certs/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem

3. Reiniciar el servicio de dovecot:

#> systemctl restart dovecot

4. Pruebas de conexión:

#> openssl s_client -connect 127.0.0.1:993

Resultado

CONNECTED(00000003)

depth=0 C = VE, ST = MERIDA, L = MERIDA, O = CENDITEL, OU = CENDITEL, CN = pruebas-mail.mayaguaray.cenditel.gob.ve, emailAddress = lcolina@cenditel.gob.ve

verify error:num=18:self signed certificate

verify return:1

depth=0 C = VE, ST = MERIDA, L = MERIDA, O = CENDITEL, OU = CENDITEL, CN = pruebas-mail.mayaguaray.cenditel.gob.ve, emailAddress = lcolina@cenditel.gob.ve

verify return:1

—

Certificate chain

0 s:/C=VE/ST=MERIDA/L=MERIDA/O=CENDITEL/OU=CENDITEL/CN=pruebas-mail.mayaguaray.cenditel.gob.ve/emailAddress=lcolina@cenditel.gob.ve

i:/C=VE/ST=MERIDA/L=MERIDA/O=CENDITEL/OU=CENDITEL/CN=pruebas-mail.mayaguaray.cenditel.gob.ve/emailAddress=lcolina@cenditel.gob.ve

—

Server certificate

—–BEGIN CERTIFICATE—–

MIID3DCCAsQCCQCpCOrj++GJVzANBgkqhkiG9w0BAQsFADCBrzELMAkGA1UEBhMC

VkUxDzANBgNVBAgMBk1FUklEQTEPMA0GA1UEBwwGTUVSSURBMREwDwYDVQQKDAhD

RU5ESVRFTDERMA8GA1UECwwIQ0VORElURUwxMDAuBgNVBAMMJ3BydWViYXMtbWFp

bC5tYXlhZ3VhcmF5LmNlbmRpdGVsLmdvYi52ZTEmMCQGCSqGSIb3DQEJARYXbGNv

bGluYUBjZW5kaXRlbC5nb2IudmUwHhcNMTYwNDIxMTY0MTAzWhcNMTkwNDIxMTY0

MTAzWjCBrzELMAkGA1UEBhMCVkUxDzANBgNVBAgMBk1FUklEQTEPMA0GA1UEBwwG

TUVSSURBMREwDwYDVQQKDAhDRU5ESVRFTDERMA8GA1UECwwIQ0VORElURUwxMDAu

BgNVBAMMJ3BydWViYXMtbWFpbC5tYXlhZ3VhcmF5LmNlbmRpdGVsLmdvYi52ZTEm

MCQGCSqGSIb3DQEJARYXbGNvbGluYUBjZW5kaXRlbC5nb2IudmUwggEiMA0GCSqG

SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUfdSFDm0FGbdpVP6Rzq3XW+IZv3vqOD4/

qiHLFJ6eV6JpnxjRr3gf9KLR2y5yeRJNljzA0hzGVExybxn7wycAH65SfVU1fv8W

xsW/TQtHj8Gly1OiD7wXTF8Xf7jOHGaTImPPol+vjuTtu4DEFjImeEI/f6lxyHjG

I+p7TbCcDiBsB/z7zJInYW2e5Q9RmFkuGLZ8fzuiTPTkUvJBFftl3zgNRLOpRPIv

D+QivgPMT8jNpDujk6TzmBErKKNnIRU5CARgVS5kQvEPyEr8dxqOE4WSJXIL3R1o

pFyEgDLGNy4tYDLqkxqpHu/Nl3LR1rEQcmNvcahrxKf/dY7WeS/NAgMBAAEwDQYJ

KoZIhvcNAQELBQADggEBAHSREA2NsWkMab2+4rnITUH1/5YhlSrQYnm+d/E8TTn7

r+bDerWksptUf+70rzTceHFmSIFDKMja7QD9FBudizfoBKFlgrnRYlmPTPRtll88

FRWvrhDDanKeMjyL2vsOJ/6f6b5+T4O36STE9EzQAg0+db/e5msIWXBPQFZSLnjo

E1VskKkSXoO7s0RuNiHeGYzd2btGT3JdmoUd9d4vSmX5tAbnbV87Up/IbizyCAz+

TJK+DSZ9ekBTdxLNtC/hCT70fxtsZHRTGOEHHjxCqqhKdVSuGz4yBnGyo3J7ax9T

EQnKdJ2n0c4jG/QXd4pMbvwjjp7TWjWlUq4XTJowpME=

—–END CERTIFICATE—–

subject=/C=VE/ST=MERIDA/L=MERIDA/O=CENDITEL/OU=CENDITEL/CN=pruebas-mail.mayaguaray.cenditel.gob.ve/emailAddress=lcolina@cenditel.gob.ve

issuer=/C=VE/ST=MERIDA/L=MERIDA/O=CENDITEL/OU=CENDITEL/CN=pruebas-mail.mayaguaray.cenditel.gob.ve/emailAddress=lcolina@cenditel.gob.ve

—

No client certificate CA names sent

—

SSL handshake has read 1683 bytes and written 447 bytes

—

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: 8B429608BB34F82DB07FD2F212F19B2E49D0A33301F70DCE7DB1D8F74699667B

Session-ID-ctx:

Master-Key: AF9E5F373158F07E8808F60249B49C3B4E8F147ADF7850621DB08180179CB10F1B15BA04A17448D105940EE93E0D6311

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 300 (seconds)

TLS session ticket:

0000 – be 9b f5 cf e1 b8 8d a1-d3 d6 91 3a eb 4a 70 98 ………..:.Jp.

0010 – 4c d3 2f f6 ca aa 15 89-d9 7b 5e 5f 70 62 32 58 L./……{^_pb2X

0020 – 61 f0 59 c2 26 7b 95 c6-44 80 28 36 04 21 8e 50 a.Y.&{..D.(6.!.P

0030 – ba 24 8a 6f 2b 71 03 b0-f5 83 50 bb 91 11 1d 9e .$.o+q….P…..

0040 – 18 20 04 4f ba d8 c9 26-2f 22 d6 09 e0 a9 88 8b . .O…&/”……

0050 – 2d ac 5e 64 80 a3 07 4d-5d 9b 95 9f 3a 89 fb da -.^d…M]…:…

0060 – d9 2a 95 95 e6 60 f7 5f-e4 77 54 10 74 af f9 d6 .*…`._.wT.t…

0070 – fb 79 6f c1 22 d8 ca dc-8a 97 a6 2c 53 b9 bd 79 .yo.”……,S..y

0080 – e4 aa 63 f9 4b 95 80 6f-12 41 e7 04 2d 39 89 fc ..c.K..o.A..-9..

0090 – cb 3e d2 a9 30 40 9a 1d-74 38 6c 3b 99 80 3a 44 .>..0@..t8l;..:D

Start Time: 1471446585

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

—

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=LOGIN AUTH=PLAIN] Dovecot ready.

#> openssl s_client -crlf -connect 127.0.0.1:143 -starttls imap

Resultado

CONNECTED(00000003)

depth=0 C = VE, ST = MERIDA, L = MERIDA, O = CENDITEL, OU = CENDITEL, CN = pruebas-mail.mayaguaray.cenditel.gob.ve, emailAddress = lcolina@cenditel.gob.ve

verify error:num=18:self signed certificate

verify return:1

depth=0 C = VE, ST = MERIDA, L = MERIDA, O = CENDITEL, OU = CENDITEL, CN = pruebas-mail.mayaguaray.cenditel.gob.ve, emailAddress = lcolina@cenditel.gob.ve

verify return:1

—

Certificate chain

0 s:/C=VE/ST=MERIDA/L=MERIDA/O=CENDITEL/OU=CENDITEL/CN=pruebas-mail.mayaguaray.cenditel.gob.ve/emailAddress=lcolina@cenditel.gob.ve

i:/C=VE/ST=MERIDA/L=MERIDA/O=CENDITEL/OU=CENDITEL/CN=pruebas-mail.mayaguaray.cenditel.gob.ve/emailAddress=lcolina@cenditel.gob.ve

—

Server certificate

—–BEGIN CERTIFICATE—–

MIID3DCCAsQCCQCpCOrj++GJVzANBgkqhkiG9w0BAQsFADCBrzELMAkGA1UEBhMC

VkUxDzANBgNVBAgMBk1FUklEQTEPMA0GA1UEBwwGTUVSSURBMREwDwYDVQQKDAhD

RU5ESVRFTDERMA8GA1UECwwIQ0VORElURUwxMDAuBgNVBAMMJ3BydWViYXMtbWFp

bC5tYXlhZ3VhcmF5LmNlbmRpdGVsLmdvYi52ZTEmMCQGCSqGSIb3DQEJARYXbGNv

bGluYUBjZW5kaXRlbC5nb2IudmUwHhcNMTYwNDIxMTY0MTAzWhcNMTkwNDIxMTY0

MTAzWjCBrzELMAkGA1UEBhMCVkUxDzANBgNVBAgMBk1FUklEQTEPMA0GA1UEBwwG

TUVSSURBMREwDwYDVQQKDAhDRU5ESVRFTDERMA8GA1UECwwIQ0VORElURUwxMDAu

BgNVBAMMJ3BydWViYXMtbWFpbC5tYXlhZ3VhcmF5LmNlbmRpdGVsLmdvYi52ZTEm

MCQGCSqGSIb3DQEJARYXbGNvbGluYUBjZW5kaXRlbC5nb2IudmUwggEiMA0GCSqG

SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUfdSFDm0FGbdpVP6Rzq3XW+IZv3vqOD4/

qiHLFJ6eV6JpnxjRr3gf9KLR2y5yeRJNljzA0hzGVExybxn7wycAH65SfVU1fv8W

xsW/TQtHj8Gly1OiD7wXTF8Xf7jOHGaTImPPol+vjuTtu4DEFjImeEI/f6lxyHjG

I+p7TbCcDiBsB/z7zJInYW2e5Q9RmFkuGLZ8fzuiTPTkUvJBFftl3zgNRLOpRPIv

D+QivgPMT8jNpDujk6TzmBErKKNnIRU5CARgVS5kQvEPyEr8dxqOE4WSJXIL3R1o

pFyEgDLGNy4tYDLqkxqpHu/Nl3LR1rEQcmNvcahrxKf/dY7WeS/NAgMBAAEwDQYJ

KoZIhvcNAQELBQADggEBAHSREA2NsWkMab2+4rnITUH1/5YhlSrQYnm+d/E8TTn7

r+bDerWksptUf+70rzTceHFmSIFDKMja7QD9FBudizfoBKFlgrnRYlmPTPRtll88

FRWvrhDDanKeMjyL2vsOJ/6f6b5+T4O36STE9EzQAg0+db/e5msIWXBPQFZSLnjo

E1VskKkSXoO7s0RuNiHeGYzd2btGT3JdmoUd9d4vSmX5tAbnbV87Up/IbizyCAz+

TJK+DSZ9ekBTdxLNtC/hCT70fxtsZHRTGOEHHjxCqqhKdVSuGz4yBnGyo3J7ax9T

EQnKdJ2n0c4jG/QXd4pMbvwjjp7TWjWlUq4XTJowpME=

—–END CERTIFICATE—–

subject=/C=VE/ST=MERIDA/L=MERIDA/O=CENDITEL/OU=CENDITEL/CN=pruebas-mail.mayaguaray.cenditel.gob.ve/emailAddress=lcolina@cenditel.gob.ve

issuer=/C=VE/ST=MERIDA/L=MERIDA/O=CENDITEL/OU=CENDITEL/CN=pruebas-mail.mayaguaray.cenditel.gob.ve/emailAddress=lcolina@cenditel.gob.ve

—

No client certificate CA names sent

—

SSL handshake has read 2014 bytes and written 473 bytes

—

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: EC371C8536CDF78A39CB3826F4AC40F78CB285B9E26A4802C3DD99D4A01E1EDC

Session-ID-ctx:

Master-Key: A8D93F559DD5302F7E00A44BBDCCE2B409E1B9754D60F6F15F05C929543B0771BFFD04A8CE52F013B8972E0E6674774D

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 300 (seconds)

TLS session ticket:

0000 – e9 86 bf d6 a6 95 92 22-ca c5 b0 49 20 36 69 d9 …….”…I 6i.

0010 – 48 f3 8a 9d f5 51 1b e3-48 b5 3b 98 78 e9 69 cd H….Q..H.;.x.i.

0020 – 49 17 37 a6 f1 23 68 da-f8 92 7f c6 fa ee d0 55 I.7..#h……..U

0030 – 03 e1 a8 1d 70 f1 f9 6c-69 6a 77 93 a4 69 83 3e ….p..lijw..i.>

0040 – 52 62 5c 33 9d ed a4 aa-18 08 ff ba 54 dd 7d 9c Rb\3……..T.}.

0050 – 30 9f 11 15 ed 86 a2 3e-b5 c5 d3 0b 38 b0 4c dd 0……>….8.L.

0060 – e8 a1 ba 2e 32 16 ca ea-1e 1f 94 02 c2 c5 7a 72 ….2………zr

0070 – ec 3c d1 ab ab 96 aa e4-81 17 51 3e ef 2d 96 10 .<……..Q>.-..

0080 – 64 28 e6 86 ff 94 89 7a-a9 95 7c c8 96 5d 8c 86 d(…..z..|..]..

0090 – 75 f5 31 b6 18 e7 fa cf-fb 7f 69 49 16 66 56 e6 u.1…….iI.fV.

Start Time: 1471447063

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

—

. OK Pre-login capabilities listed, post-login capabilities have more.