cd /etc/postfix
vi main.cf
Paste under mynetworks:
####### smtp auth
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
local_recipient_maps =
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
########
Then:
vi master.cf
Paste under smtp:
smtps inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_sasl_type=dovecot
# -o smtpd_sasl_path=private/auth
# -o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes
Check the smtpd.conf file and amend it:
locate smtpd.conf
vi /usr/lib/sasl2/smtpd.conf
Delete the contents of the file and paste into it:
pwcheck_method: saslauthd
mech_list: plain login
To check the SASL available mechanisms run:
saslauthd -V
Set SASL authentication to start at system boot:
chkconfig --levels 235 saslauthd on
Set up the encryption keys:
mkdir /etc/postfix/ssl
cd ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Set up the client certificate for importing into Internet Explorer:
openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out OutlookSMTP.p12
cp OutlookSMTP.p12 /shares/data/profiles/pcb/Desktop/
Reload the config:
Postfix reload
Finally insert a relevant iptables rule to access from outside:
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 465 -j ACCEPT
Or if behind a firewall:
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 465 -d 10.10.1.4 -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -p tcp --sport 465 -s 10.10.1.4 -i $INTIF -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP2 --dport 465 -j DNAT --to 10.10.1.4:465
Done!
Testing
Check the port is listening:
netstat -ntpl | grep master
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 8366/master
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 8366/master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 8366/master
Test TLS and AUTH is working:
[root@ls1 postfix]# telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 ls1.genderlinks.org.za ESMTP Postfix
ehlo me
250-ls1.genderlinks.org.za
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
^]
telnet> quit
Connection closed.
[root@ls1 postfix]#
To test further create an account and attain the Base64 Mime password with mmencode or the
following perl script:
[root@zuzimpilo ~]# cat /shares/pcb-scripts/encode_sasl_plain.pl
#!/usr/bin/perl
use strict;
use MIME::Base64;
if ( $#ARGV !=1) {
die "Usage: encode_sasl_plain.pl \n";
}
print encode_base64("$ARGV[0]\0$ARGV[0]\0$ARGV[1]");
exit 0;
[root@zuzimpilo ~]# /shares/pcb-scripts/encode_sasl_plain.pl
Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4
[root@zuzimpilo ~]#
[root@zuzimpilo ~]# telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 zuzimpilo ESMTP Postfix
ehlo me
250-zuzimpilo
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4
235 2.0.0 Authentication successful
**If the authentication is not successful, you may have to change the MECH value in /etc/sysconfig/saslauthd and /etc/init.d/saslauthd.
Possible values are listed with the command saslauthd -V and restart saslauthd.
Test the connection from outside:
cameron@cs:~$ telnet mail.civicus.org 465
Trying 196.36.126.18...
Connected to mail.civicus.org.
Escape character is '^]'.
220 mail1.civicus.org ESMTP Postfix
ehlo me
250-mail1.civicus.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4
235 2.0.0 Authentication successful
To test further, set up an account in Evolution / Thunderbird / Outlook and test the SMTP with the
username and password you set up earlier.
Profit!