Postfix SMTP Authentication

cd /etc/postfix

vi main.cf

Paste under mynetworks:

####### smtp auth

smtpd_tls_auth_only = no

smtp_use_tls = yes

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = cyrus

local_recipient_maps =

smtpd_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

########

Then:

vi master.cf

Paste under smtp:

smtps inet n - n - - smtpd

# -o smtpd_etrn_restrictions=reject

# -o smtpd_sasl_type=dovecot

# -o smtpd_sasl_path=private/auth

# -o smtpd_enforce_tls=yes

-o smtpd_sasl_auth_enable=yes

-o smtpd_reject_unlisted_sender=yes

-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

-o broken_sasl_auth_clients=yes

Check the smtpd.conf file and amend it:

locate smtpd.conf

vi /usr/lib/sasl2/smtpd.conf

Delete the contents of the file and paste into it:

pwcheck_method: saslauthd

mech_list: plain login

To check the SASL available mechanisms run:

saslauthd -V

Set SASL authentication to start at system boot:

chkconfig --levels 235 saslauthd on

Set up the encryption keys:

mkdir /etc/postfix/ssl

cd ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Set up the client certificate for importing into Internet Explorer:

openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out OutlookSMTP.p12

cp OutlookSMTP.p12 /shares/data/profiles/pcb/Desktop/

Reload the config:

Postfix reload

Finally insert a relevant iptables rule to access from outside:

$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 465 -j ACCEPT

Or if behind a firewall:

$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 465 -d 10.10.1.4 -o $INTIF -j ACCEPT

$IPTABLES -A FORWARD -o $EXTIF -p tcp --sport 465 -s 10.10.1.4 -i $INTIF -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP2 --dport 465 -j DNAT --to 10.10.1.4:465

Done!

Testing

Check the port is listening:

netstat -ntpl | grep master

tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 8366/master

tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 8366/master

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 8366/master

Test TLS and AUTH is working:

[root@ls1 postfix]# telnet localhost 465

Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

220 ls1.genderlinks.org.za ESMTP Postfix

ehlo me

250-ls1.genderlinks.org.za

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250 8BITMIME

telnet> quit

Connection closed.

[root@ls1 postfix]#

To test further create an account and attain the Base64 Mime password with mmencode or the

following perl script:

[root@zuzimpilo ~]# cat /shares/pcb-scripts/encode_sasl_plain.pl

#!/usr/bin/perl

use strict;

use MIME::Base64;

if ( $#ARGV !=1) {

die "Usage: encode_sasl_plain.pl \n";

}

print encode_base64("$ARGV[0]\0$ARGV[0]\0$ARGV[1]");

exit 0;

[root@zuzimpilo ~]# /shares/pcb-scripts/encode_sasl_plain.pl

Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4

[root@zuzimpilo ~]#

[root@zuzimpilo ~]# telnet localhost 465

Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

220 zuzimpilo ESMTP Postfix

ehlo me

250-zuzimpilo

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH PLAIN Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4

235 2.0.0 Authentication successful

**If the authentication is not successful, you may have to change the MECH value in /etc/sysconfig/saslauthd and /etc/init.d/saslauthd.

Possible values are listed with the command saslauthd -V and restart saslauthd.

Test the connection from outside:

cameron@cs:~$ telnet mail.civicus.org 465

Trying 196.36.126.18...

Connected to mail.civicus.org.

Escape character is '^]'.

220 mail1.civicus.org ESMTP Postfix

ehlo me

250-mail1.civicus.org

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH PLAIN Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4

235 2.0.0 Authentication successful

To test further, set up an account in Evolution / Thunderbird / Outlook and test the SMTP with the

username and password you set up earlier.

Profit!

Page updated

Google Sites

Report abuse