configure
below commands one by one for creating SSL Cert.
-------------------------------------------------
yum -y install openssl
[root@www ~]# cd /etc/pki/tls/certs
[root@www certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
......................................................++++++
.............++++++
e is 61251 (0x10001)
Enter pass phrase:# set passphrase
Verifying - Enter pass phrase:# confirm
# remove passphrase from private key
[root@www certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:# input passphrase
writing RSA key
[root@www certs]#
[root@www certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BD
State or Province Name (full name) []:Dhaka
Locality Name (eg, city) [Default City]:Dhaka
Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.
Organizational Unit Name (eg, section) []:worldcm.net
Common Name (eg, your name or your server's hostname) []:mail.worldcm.net
Email Address []: admin@worldcm.net
A challenge password []:# Enter
An optional company name []:# Enter
[root@www certs]#
[root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.srv.world/emailAddress=xxx@srv.world Getting Private key
[root@www certs]# chmod 400 server.*
[root@www certs]# chmod 400 server.*
----------------------------------------------------------------------
Configure Postfix and Dovecot for SSL.
[root@mail ~]# vi /etc/postfix/main.cf
# add follows to the end
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
[root@mail ~]# vi /etc/postfix/master.cf
# line 17-18: uncomment
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf
# line 6: uncomment
ssl = yes
# line 12,13: specify certificates
ssl_cert = </etc/pki/tls/certs/server.crt
ssl_key = </etc/pki/tls/certs/server.key
[root@mail ~]# /etc/rc.d/init.d/postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@mail ~]# /etc/rc.d/init.d/dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
[3] If IPTables is running, allow SMTPS/POP3S/IMAPS port. SMTPS uses 465/TCP, POP3S uses 995/TCP, IMAPS uses 993/TCP. For "-I INPUT 5" section below, Replace it to your own environment.
[root@dlp ~]# iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
[root@dlp ~]# iptables -I INPUT 6 -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
[root@dlp ~]# iptables -I INPUT 7 -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
[ figure 1]
root@mail ~]# yum -y install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain
[root@mail ~]# mkdir /etc/postfix/ssl
[root@mail ~]# cd /etc/postfix/ssl/
[root@mail ssl]# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
[root@mail ssl]# chmod 600 smtpd.key
[root@mail ssl]# openssl req -new -key smtpd.key -out smtpd.csr [ Enter pass phrase for smtpd.key: passwd: 1234 0r domainNmae]
All necessary values for the certificate can be given:
Country Name (2 letter code) [XX]:BD
State or Province Name (full name) []:Dhaka
Locality Name (eg, city) [Default City]:Dhaka
Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.
Organizational Unit Name (eg, section) []:worldcm.net
Common Name (eg, your name or your server's hostname) []:mail.worldcm.net
Email Address []: admin@worldcm.net
A challenge password []:world
An optional company name []: worldcm
[root@mail ssl]# openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
[root@mail ssl]# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
[root@mail ssl]# mv -f smtpd.key.unencrypted smtpd.key
[root@mail ssl]# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 365
Country Name (2 letter code) [XX]:BD
State or Province Name (full name) []:Dhaka
Locality Name (eg, city) [Default City]:Dhaka
Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.
Organizational Unit Name (eg, section) []:worldcm.net
Common Name (eg, your name or your server's hostname) []:mail.worldcm.net
Email Address []: admin@worldcm.net
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX--------OR----------XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Enable TLS Encryption for Postfix
[root@mail ~]#mkdir /etc/ssl/private/ [ figure 2]
[root@mail ~]# cd /etc/ssl/
[root@mail ssl]#chmod 777 private
# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/postfixcert.pem -keyout /etc/ssl/private/postfixkey.pem
[ Enter pass phrase for smtpd.key: passwd: 1234 0r domainNmae]
Country Name (2 letter code) [XX]:BD
State or Province Name (full name) []:Dhaka
Locality Name (eg, city) [Default City]:Dhaka
Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.
Organizational Unit Name (eg, section) []:worldcm.net
Common Name (eg, your name or your server's hostname) []:mail.worldcm.net
Email Address []: admin@worldcm.net
Enable SSL Encryption for Dovecot
[root@mail ~]#mkdir /etc/ssl/private/
[root@mail ~]# cd /etc/ssl/
[root@mail ssl]#chmod 777 private
[root@mail ssl]#openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecotcert.pem -keyout /etc/ssl/private/dovecotkey.pem
All necessary values for the certificate can be given:
------------------------------------------------------ [ Enter pass phrase for smtpd.key: passwd: 1234 0r domainNmae]
Country Name (2 letter code) [XX]:BD
State or Province Name (full name) []:Dhaka
Locality Name (eg, city) [Default City]:Dhaka
Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.
Organizational Unit Name (eg, section) []:worldcm.net
Common Name (eg, your name or your server's hostname) []:mail.worldcm.net
Email Address []: admin@worldcm.net
root@mail:~# vim /etc/dovecot/conf.d/10-ssl.conf
6 ssl = yes
12 ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
13 ssl_key = </etc/pki/dovecot/private/dovecot.pem
---------OR-----------------
ssl_cert = </etc/ssl/certs/dovecotcert.pem
ssl_key = </etc/ssl/private/dovecotkey.pem
Finally, dovecot is restarted to enable SSL with the new certificate.
root@mail:~# service dovecot restart
-----------------------------------------------
main.cf
root@mail:~# vim /etc/postfix/main.cf
--- ----------OR-----------------
##SSL/TLS [ figure 2]
### STARTTLS is enabled
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes
### loglevel 3 should be used while troubleshooting ###
smtpd_tls_loglevel = 1
### path to certificate and key file
smtpd_tls_cert_file =/etc/ssl/certs/postfixcert.pem
smtpd_tls_key_file =/etc/ssl/private/postfixkey.pem
smtpd_use_tls=yes
----------------------------------------------------
master.cf
root@mail:~# vim /etc/postfix/master.cf
##SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
##SSL/TLS [ figure 1]
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#SMTPD CLIENT RESTRICTIONS
smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/access reject_unauth_pipelining permit_inet_interfaces
18 submission inet n - n - - smtpd
19 -o syslog_name=postfix/submission
20 -o smtpd_tls_security_level=encrypt
21 -o smtpd_sasl_auth_enable=yes
22 # -o smtpd_reject_unlisted_recipient=no
23 # -o smtpd_client_restrictions=$mua_client_restrictions
24 # -o smtpd_helo_restrictions=$mua_helo_restrictions
25 # -o smtpd_sender_restrictions=$mua_sender_restrictions
26 # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
27# -o milter_macro_daemon_name=ORIGINATING
28 # -o broken_sasl_auth_clients=yes
29
30 smtps inet n - n - - smtpd
31 -o syslog_name=postfix/smtps
32 -o smtpd_tls_wrappermode=yes
33 -o smtpd_sasl_auth_enable=yes
34# -o smtpd_reject_unlisted_recipient=no
35 # -o smtpd_client_restrictions=$mua_client_restrictions
36 # -o smtpd_helo_restrictions=$mua_helo_restrictions
37 # -o smtpd_sender_restrictions=$mua_sender_restrictions
38 # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
39# -o milter_macro_daemon_name=ORIGINATING
40 # -o broken_sasl_auth_clients=yes
41
#######################################################################################################################
TLS
Basic Postfix authentification over SSL (SASL + TLS)
As you might know, Postfix is really a big software that can deal with very complex situations - Mortals like me (software developers are mortals, sysadmin are not) only have to handle simple scenarios, involving few email accounts. So, basically my needs are to restrict email submission to users authenticated over a secure connection.
Postfix can use many underlying authentification systems. I just needed to have the smtp senders accounts to be in sync with the unix accounts (same user/pass).
The procedure below have been tested with Postfix 2.2.x under CentOS.
1) Postfix conf
Edit /etc/postfix/main.cf and add these new directives :
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
Search the smtpd_recipient_restrictions directive and add permit_sasl_authenticated. It should looks like :
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination
reject_unauth_pipelining,
reject_invalid_hostname
2) SASL conf
Check that you have the cyrus-sasl rpms available on your system - if not, yum install cyrus-sasl, yum install cyrus-sasl-plain
Create if needed and edit /usr/lib/sasl2/smtp.conf :
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
3) TLS security
We might stop here and jump to step 4 but we don't : this solution is totally unsecure due to the fact that the authentification datas are sent over the net without beeing encrypted.
The added security of using ssl to encrypt transferts is worth a another little effort.
Edit main.cf again and add :
smtpd_tls_auth_only = yes
smtpd_tls_req_ccert = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/tls/privkey.pem
smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
smtpd_tls_CAfile = /etc/postfix/tls/cert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Then, we need to generate the ssl certificat and private key :
cd /etc/postfix
mkdir tls
cd tls
openssl req -new -x509 -nodes -out cert.pem -days 3650
chmod 600 *
4) Final step
service postfix reload
configure your MUA (Mail User Agent, eg Thunderbird) accordingly (user/pass).
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Generate Postfix Self-Signed Certificate
We need to generate a self-signed SSL certificate to be used with Postfix and Dovecot.
[root@geekpeek ~]# mkdir /etc/postfix/ssl [root@geekpeek ~]# cd /etc/postfix/ssl/ [root@geekpeek ssl]# openssl genrsa -out postfix.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ .............+++ e is 65537 (0x10001) [root@geekpeek ssl]# openssl req -new -key postfix.key -out postfix.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:BD State or Province Name (full name) []: Dhaka Locality Name (eg, city) [Default City]:Dhaka Organization Name (eg, company) [Default Company Ltd]:Worldcm Network. Organizational Unit Name (eg, section) []:worldcm.com Common Name (eg, your name or your server's hostname) []:mail.worldcm.com Email Address []:admin@worldcm.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@geekpeek ssl]# openssl x509 -req -days 3650 -in postfix.csr -signkey postfix.key -out postfix.crtSignature ok subject=/C=BD/L=Dhaka/O=worldcmNetwork/CN=mail.worldcm.net/emailAddress=admin@worldcm.com Getting Private key
Reconfigure Postfix
Add the following lines to the bottom of the “/etc/postfix/main.cf” file:
# SSL/TLS smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/postfix.key smtpd_tls_cert_file = /etc/postfix/ssl/postfix.crt smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom # SASL smtpd_sasl_type = dovecot broken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous
Also we need to edit “/etc/postfix/master.cf” file and uncomment the following lines:
/etc/postfix/master.cf
submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
Reconfigure Dovecot
/etc/dovecot/conf.d/10-ssl.conf
# Uncomment ssl = yes # Change to point to SSL cert generated in Step 15 ssl_cert = </etc/postfix/ssl/postfix.crt ssl_key = </etc/postfix/ssl/postfix.key
Restart Postfix and Dovecot
# /etc/init.d/postfix restart
# /etc/init.d/dovecot restart