Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Postfix-SMTP-AUTH-TLS-Howto


This document describes how to install a mail server based on postfix that is capable of SMTP-AUTH and TLS. It should work (maybe with slight changes concerning paths etc.) on all *nix operating systems. I tested it on Debian Woody and Fedora Core 1 so far.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind!

1 Get the Sources

We need the following software: openssl, cyrus-sasl2, postfix and the TLS patch for postfix. We will install the software from the /tmp directory.

cd /tmp
wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
wget –passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz
wget –passive-ftp ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix/postfix-2.0.16.tar.gz
wget –passive-ftp ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz
2 Install Openssl

tar xvfz openssl-0.9.7c.tar.gz
cd openssl-0.9.7c
./config
make
make install
3 Install Cyrus-sasl

cd /tmp
tar xvfz cyrus-sasl-2.1.17.tar.gz
cd cyrus-sasl-2.1.17
./configure –enable-anon –enable-plain –enable-login –disable-krb4 –with-saslauthd=/var/run/saslauthd –with-pam –with-openssl=/usr/local/ssl –with-plugindir=/usr/local/lib/sasl2 –enable-cram –enable-digest –enable-otp (1 line!)
make
make install

If /usr/lib/sasl2 exists:
mv /usr/lib/sasl2 /usr/lib/sasl2_orig

ln -s /usr/local/lib/sasl2 /usr/lib/sasl2

Create the file /usr/local/lib/sasl2/smtpd.conf:

# This sets smtpd to authenticate using the saslauthd daemon.
pwcheck_method:saslauthd
# This allows only plain, login, cram-md5 and digest-md5 as the authentication mechanisms.
mech_list: plain login cram-md5 digest-md5
4 Install Postfix

cd /tmp
tar xvfz pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz
tar xvfz postfix-2.0.16.tar.gz
cd postfix-2.0.16
useradd postfix
groupadd postdrop
patch -p1 < ../pfixtls-0.8.16-2.0.16-0.9.7b/pfixtls.diff
make makefiles CCARGS=”-DHAS_SSL -DUSE_SASL_AUTH -I/usr/local/include/sasl -I/usr/local/ssl/include” AUXLIBS=”-L/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -lsasl2 -lssl -lcrypto” (1 line!)
make
make install (accept the default values)

cp /etc/postfix/aliases /etc/
newaliases

Create /etc/init.d/postfix:

#!/bin/bash
#
# postfix This script controls the postfix daemon.
#

# description: Postfix MTA
# processname: postfix

case “$1” in
start)
/usr/sbin/postfix start
;;
stop)
/usr/sbin/postfix stop
;;
reload)
/usr/sbin/postfix reload
;;
restart)
$0 stop
$0 start
;;
*)
echo “Usage: $0 {start|stop|reload|restart}”
exit 1
esac
exit 0
chmod 755 /etc/init.d/postfix

In order to start postfix at boot time do the following:

ln -s /etc/init.d/postfix /etc/rc2.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc3.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc4.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc5.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc0.d/K20postfix
ln -s /etc/init.d/postfix /etc/rc1.d/K20postfix
ln -s /etc/init.d/postfix /etc/rc6.d/K20postfix

Our postfix will run chrooted in /var/spool/postfix so we have to copy a few files:

mkdir -p /var/spool/postfix/etc
cd /etc
cp localtime services hosts resolv.conf /var/spool/postfix/etc/
mkdir -p /var/spool/postfix/var/run
mv -f /var/run/saslauthd/ /var/spool/postfix/var/run/
chmod 755 /var/spool/postfix/var/run/saslauthd/
ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd

Now we have to generate the certificate files needed for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/

If /usr/bin/openssl exists:

mv /usr/bin/openssl /usr/bin/openssl_orig

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

<- Enter a password for smtpd.key.

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

<- Again, enter your password for smtpd.key.
<- Enter your Country Name (e.g., “DE”).
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. “IT Department”).
<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
<- Enter your Email Address.

The following information is optional:

<- Enter a challenge password.
<- Enter an optional company name.

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

<- Again, enter your password for smtpd.key.

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

<- Again, enter your password for smtpd.key.

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

<- Again, enter your password for smtpd.key.
<- Enter your Country Name (e.g., “DE”).
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. “IT Department”).
<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
<- Enter your Email Address.

Edit /etc/postfix/main.cf in order to enable SMTP-AUTH and TLS:

postconf -e ‘mydomain = example.com’
postconf -e ‘myhostname = server1.$mydomain’
postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,check_relay_domains’
postconf -e ‘inet_interfaces = all’
postconf -e ‘alias_maps = hash:/etc/aliases’
postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’
5 Configure Saslauthd

Create /etc/init.d/saslauthd:

#!/bin/sh -e

NAME=saslauthd
DAEMON=”/usr/sbin/${NAME}”
DESC=”SASL Authentication Daemon”
DEFAULTS=/etc/default/saslauthd

test -f “${DAEMON}” || exit 0

# Source defaults file; edit that file to configure this script.
if [ -e “${DEFAULTS}” ]; then
. “${DEFAULTS}”
fi

# If we’re not to start the daemon, simply exit
if [ “${START}” != “yes” ]; then
exit 0
fi

# If we have no mechanisms defined
if [ “x${MECHANISMS}” = “x” ]; then
echo “You need to configure ${DEFAULTS} with mechanisms to be used”
exit 0
fi

# Add our mechanimsms with the necessary flag
for i in ${MECHANISMS}; do
PARAMS=”${PARAMS} -a ${i}”
done

# Consider our options
case “${1}” in
start)
echo -n “Starting ${DESC}: ”
ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME}
${DAEMON} ${PARAMS}
echo “${NAME}.”
;;
stop)
echo -n “Stopping ${DESC}: ”
PROCS=`ps aux | grep -iw ‘/usr/sbin/saslauthd’ | grep -v ‘grep’ |awk ‘{print $2}’ | tr ‘\n’ ‘ ‘`
if [ “x${PROCS}” != “x” ]; then
kill -15 ${PROCS} &> /dev/null
fi
echo “${NAME}.”
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
echo “${NAME}.”
;;
*)
echo “Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}” >&2
exit 1
;;
esac

exit 0
chmod 755 /etc/init.d/saslauthd

In order to start saslauthd at boot time do the following:

ln -s /etc/init.d/saslauthd /etc/rc2.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd

Then create /etc/default/saslauthd:

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to “pam” for PAM support, but may also include
# “shadow” or “sasldb”
MECHANISMS=shadow

If you find out that saslauthd is located in /usr/local/sbin instead of /usr/sbin create a symbolic link:

ln -s /usr/local/sbin/saslauthd /usr/sbin/saslauthd

Then start saslauthd and postfix:

/etc/init.d/saslauthd start

/etc/init.d/postfix start
6 Test your Configuration

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

telnet_25

Type

quit

to return to the system’s shell.

Comments

comments