How To Configure Authentication and Encryption for Mailrise SMTP Gateway

Dec 4, 2023 · 6 mins read
How To Configure Authentication and Encryption for Mailrise SMTP Gateway

In the video below, we show how to configure authenticataion and encryption for the mailrise SMTP gateway


Mailrise is a very useful SMTP gateway for small networks, home networks and also labs

But even in networks like this, we shouldn’t get complacent and allow just anybody access to computers or allow unencrypted traffic either, especially when it contains sensitive information

Now mailrise does support authentication, so you can restrict access to it, and it also supports TLS, so you can encrypt the traffic

And in this video we show you how to configure mailrise to support authentication and TLS to improve security

Useful links:
https://github.com/YoRyan/mailrise

Assumptions:
Because this video is specifically about configuring user authentication and TLS for mailrise, I’m going to make some assumptions

Firstly, you’ve already installed mailrise or at least know how to do that

If not then I do have another video which shows how to install mailrise in a Docker container

Secondly, that you have a private key and a TLS certificate available for mailrise, or you at least know how to create them

The reason being is this varies a lot depending on which certificate authority you use and I can’t cover all possibilities

However, I do have a video available that shows how to create a certificate authority using OpenSSL and how to create certificates for servers if that’s of interest to you

Lastly, if you’re using your own certificate authority, I have to assume you know how to configure your servers to trust the certificates it signs

This is going to vary a lot depending on the application you use to send emails or maybe even the operating system

As an example though, I’ll be showing how to update the root certificate store on a Linux server

Configure Mailrise:
Mailrise does support user authentication but it uses plain text for the exchange

Not suprisingly, the expectation is that TLS will be configured as you wouldn’t want user credentials being exchanged in uncrypted traffic

To setup TLS we need a private key and a certificate that clients will trust

How you get those depends on what certificate authority you use

In my case, I’m using OpenSSL as a root CA so I’ve created the files using that and uploaded them to the Docker server

ls certs

NOTE: Although access to private keys should be restricted, unless the group others has read access, the container will not start as it can’t read the file

My root CA has limited access to anything so I just created the files using nano and copied and pasted the contents

Because this is a container, I need to make these files available to that container, so the first thing we’ll do is to copy these to the mailrise folder where I store the config file

cp certs/mailrise.* mailrise/

And in order for mailrise to then use these, I have to update the Docker Compose file

nano docker-compose.yml

mailrise:
    volumes:
      - ./mailrise/mailrise.crt:/etc/ssl/mailrise.crt
      - ./mailrise/mailrise.key:/etc/ssl/mailrise.key

Now save and exit

Typically files like these would be found in the /etc/ssl folder hence why we’re using that folder in the mapping

The next thing to do is to update mailrise itself

nano mailrise/mailrise.conf
tls:
  mode: starttls
  certfile: /etc/ssl/mailrise.crt
  keyfile: /etc/ssl/mailrise.key

smtp:
  auth:
    basic:
      myemail: mypass1234

Now save and exit

What we’ve done is to enable STARTTLS and told mailrise where to find the certificate and private key, or at least from its perspective and these will be in the /etc/ssl folder that we’ve mapped to our mailrise folder

We’ve then enabled basic authentication and defined the user account and password to login with

Now I would suggest using better credentials than this, but this is just a demo

Now we need to restart the container for the changes to take effect and I’ve found it’s best to stop it then start it

docker container stop mailrise
docker compose up -d

To confirm the configuration didn’t contain errors and that the container is running, we can use this command

docker ps -a

As long as the container is not constantly restarting, mailrise should be working and support authentication and encryption

Trust Private Root CA in Linux:
In order to trust a certificate, an application needs to trust the root CA that signed it

Now if you’re using a certificate provided by a Public certificate authority then feel free to skip this section

But if you have your own root CA and you’re using an application in Linux for instance that relies on the root certificate store to trust certificates, then you’ll need to update it

First we’ll create a new folder

sudo mkdir /usr/share/ca-certificates/extra

Next we’ll update the config file with details of our root certificate, in my case it’s called root-ca.crt

sudo nano /etc/ca-certificates.conf

extra/root-ca.crt

Now save and exit

Now upload your root certificate to /usr/share/ca-certificates/extra

In my case I just create the file and copy and paste the contents

sudo nano /usr/share/ca-certificates/extra/root-ca.crt

Finally update the root store

sudo update-ca-certificates

Going forward, the operating system and any application that uses the root certificate store should trust certificates signed by our root CA

Testing:
Now I do expect you’ll test this is all working by using whatever application you want to send emails from

But I’m going to do a basic test from the Linux command line

First I’ll create a file which is the email message we want to send

cat <<EOF >email.txt
From: "testserver" <testserver@homelab.lan>
To: "admin" <admin@homelab.lan>
Subject: Email Test
This is a test message
EOF

Technically the To: line is irrelevant for me as this will become a Slack alert

But I’ve included it in case you want to test this using curl yourself and are using a different alerting service

Next, we’ll use curl to send this email message because the computer I’m using doesn’t have an email client configured

curl --url 'smtp://mailrise.homelab.lan:8025' --ssl-reqd --mail-from 'testserver@homelab.lan' --mail-rcpt 'slack@mailrise.xyz' --upload-file email.txt --user 'myemail:mypass1234'

We define the server to connect to and use the smtp protocol because we’re using STARTTLS

NOTE: Although we want the message to be encrypted, we won’t be using smtps to do this

We then set a parameter to require TLS and provide the sender and recipient email addresses

As I want this to go to Slack and I haven’t configured any domains in mailrise, that’s why I’m using slack@mailrise.xyz as the destination

We then tell curl to upload our text file and we provide the user credentials to login with

Assuming you get an alert after you hit return, you now have a more secure installation of mailrise that requires authentication and uses encrpytion

Sharing is caring!