How To Configure Authentication and Encryption for Mailrise SMTP Gateway
In the video below, we show how to configure authenticataion and encryption for the mailrise SMTP gateway
Mailrise is a very useful SMTP gateway for small networks, home networks and also labs
But even in networks like this, we shouldn’t get complacent and allow just anybody access to computers or allow unencrypted traffic either, especially when it contains sensitive information
Now mailrise does support authentication, so you can restrict access to it, and it also supports TLS, so you can encrypt the traffic
And in this video we show you how to configure mailrise to support authentication and TLS to improve security
Useful links:
https://github.com/YoRyan/mailrise
Assumptions:
Because this video is specifically about configuring user authentication and TLS for mailrise, I’m going to make some assumptions
Firstly, you’ve already installed mailrise or at least know how to do that
If not then I do have another video which shows how to install mailrise in a Docker container
Secondly, that you have a private key and a TLS certificate available for mailrise, or you at least know how to create them
The reason being is this varies a lot depending on which certificate authority you use and I can’t cover all possibilities
However, I do have a video available that shows how to create a certificate authority using OpenSSL and how to create certificates for servers if that’s of interest to you
Lastly, if you’re using your own certificate authority, I have to assume you know how to configure your servers to trust the certificates it signs
This is going to vary a lot depending on the application you use to send emails or maybe even the operating system
As an example though, I’ll be showing how to update the root certificate store on a Linux server
Configure Mailrise:
Mailrise does support user authentication but it uses plain text for the exchange
Not suprisingly, the expectation is that TLS will be configured as you wouldn’t want user credentials being exchanged in uncrypted traffic
To setup TLS we need a private key and a certificate that clients will trust
How you get those depends on what certificate authority you use
In my case, I’m using OpenSSL as a root CA so I’ve created the files using that and uploaded them to the Docker server
ls certs
NOTE: Although access to private keys should be restricted, unless the group others has read access, the container will not start as it can’t read the file
My root CA has limited access to anything so I just created the files using nano and copied and pasted the contents
Because this is a container, I need to make these files available to that container, so the first thing we’ll do is to copy these to the mailrise folder where I store the config file
cp certs/mailrise.* mailrise/
And in order for mailrise to then use these, I have to update the Docker Compose file
nano docker-compose.yml
mailrise:
volumes:
- ./mailrise/mailrise.crt:/etc/ssl/mailrise.crt
- ./mailrise/mailrise.key:/etc/ssl/mailrise.key
Now save and exit
Typically files like these would be found in the /etc/ssl folder hence why we’re using that folder in the mapping
The next thing to do is to update mailrise itself
nano mailrise/mailrise.conf
tls:
mode: starttls
certfile: /etc/ssl/mailrise.crt
keyfile: /etc/ssl/mailrise.key
smtp:
auth:
basic:
myemail: mypass1234
Now save and exit
What we’ve done is to enable STARTTLS and told mailrise where to find the certificate and private key, or at least from its perspective and these will be in the /etc/ssl folder that we’ve mapped to our mailrise folder
We’ve then enabled basic authentication and defined the user account and password to login with
Now I would suggest using better credentials than this, but this is just a demo
Now we need to restart the container for the changes to take effect and I’ve found it’s best to stop it then start it
docker container stop mailrise
docker compose up -d
To confirm the configuration didn’t contain errors and that the container is running, we can use this command
docker ps -a
As long as the container is not constantly restarting, mailrise should be working and support authentication and encryption
Trust Private Root CA in Linux:
In order to trust a certificate, an application needs to trust the root CA that signed it
Now if you’re using a certificate provided by a Public certificate authority then feel free to skip this section
But if you have your own root CA and you’re using an application in Linux for instance that relies on the root certificate store to trust certificates, then you’ll need to update it
First we’ll create a new folder
sudo mkdir /usr/share/ca-certificates/extra
Next we’ll update the config file with details of our root certificate, in my case it’s called root-ca.crt
sudo nano /etc/ca-certificates.conf
extra/root-ca.crt
Now save and exit
Now upload your root certificate to /usr/share/ca-certificates/extra
In my case I just create the file and copy and paste the contents
sudo nano /usr/share/ca-certificates/extra/root-ca.crt
Finally update the root store
sudo update-ca-certificates
Going forward, the operating system and any application that uses the root certificate store should trust certificates signed by our root CA
Testing:
Now I do expect you’ll test this is all working by using whatever application you want to send emails from
But I’m going to do a basic test from the Linux command line
First I’ll create a file which is the email message we want to send
cat <<EOF >email.txt
From: "testserver" <testserver@homelab.lan>
To: "admin" <admin@homelab.lan>
Subject: Email Test
This is a test message
EOF
Technically the To: line is irrelevant for me as this will become a Slack alert
But I’ve included it in case you want to test this using curl yourself and are using a different alerting service
Next, we’ll use curl to send this email message because the computer I’m using doesn’t have an email client configured
curl --url 'smtp://mailrise.homelab.lan:8025' --ssl-reqd --mail-from 'testserver@homelab.lan' --mail-rcpt 'slack@mailrise.xyz' --upload-file email.txt --user 'myemail:mypass1234'
We define the server to connect to and use the smtp protocol because we’re using STARTTLS
NOTE: Although we want the message to be encrypted, we won’t be using smtps to do this
We then set a parameter to require TLS and provide the sender and recipient email addresses
As I want this to go to Slack and I haven’t configured any domains in mailrise, that’s why I’m using slack@mailrise.xyz as the destination
We then tell curl to upload our text file and we provide the user credentials to login with
Assuming you get an alert after you hit return, you now have a more secure installation of mailrise that requires authentication and uses encrpytion
Sharing is caring!