SASL/SSL
Generate Postfix Self-Signed Certificate
We need to generate a self-signed SSL certificate to be used with Postfix and Dovecot.
yum -y install openssl cyrus*
[root@geekpeek ~]# mkdir /etc/postfix/ssl [root@geekpeek ~]# cd /etc/postfix/ssl/ [root@geekpeek ssl]# openssl genrsa -out postfix.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ .............+++ e is 65537 (0x10001) [root@geekpeek ssl]# openssl req -new -key postfix.key -out postfix.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:BD State or Province Name (full name) []: Dhaka Locality Name (eg, city) [Default City]:Dhaka Organization Name (eg, company) [Default Company Ltd]:Worldcm Network. Organizational Unit Name (eg, section) []:worldcm.com Common Name (eg, your name or your server's hostname) []:mail.worldcm.com Email Address []:admin@worldcm.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: world An optional company name []: worldcm [root@geekpeek ssl]# openssl x509 -req -days 3650 -in postfix.csr -signkey postfix.key -out postfix.crtSignature ok subject=/C=BD/L=Dhaka/O=worldcmNetwork/CN=mail.worldcm.net/emailAddress=admin@worldcm.com Getting Private key
Reconfigure Postfix
Add the following lines to the bottom of the “/etc/postfix/main.cf” file:
# SASLsmtpd_sasl_type = dovecot broken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous
# SSL/TLS
smtpd_use_tls=yes
smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/postfix.key smtpd_tls_cert_file = /etc/postfix/ssl/postfix.crt smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
systemctl start postfix
systemctl enable postfix
systemctl restart postfix.service
Also we need to edit “/etc/postfix/master.cf” file and uncomment the following lines:
# vi /etc/postfix/master.cf
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
Restart Postfix
Reconfigure Dovecot
vi /etc/dovecot/conf.d/10-ssl.conf
# Uncomment ssl = yes # Change to point to SSL cert generated in Step 15 ssl_cert = </etc/postfix/ssl/postfix.crt ssl_key = </etc/postfix/ssl/postfix.key
Restart Postfix and Dovecot
systemctl start dovecot
systemctl enable dovecot
systemctl restart dovecot.service
Required additional package cyrus-sasl-plain.
You can install it by
# yum -y install cyrus*
# yum -y install cyrus-sasl-plain
---------------------------------------------------------------------------
[root@www ~]# cd /etc/pki/tls/certs
[root@www certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
...
...
e is 65537 (0x10001)
Enter pass phrase:# set passphrase
Verifying - Enter pass phrase:# confirm [ Enter pass phrase for smtpd.key: passwd: 1234 0r domainNmae]
[root@www certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:# input passphrase
writing RSA key
[root@www privet]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- ---------------
Country Name (2 letter code) [XX]:BD
State or Province Name (full name) []:Dhaka
Locality Name (eg, city) [Default City]:Dhaka
Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.
Organizational Unit Name (eg, section) []:worldcm.net
Common Name (eg, your name or your server's hostname) []:mail.worldcm.net
Email Address []: admin@worldcm.net
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:world1234 An optional company name []:worldcm
------------------------------------------------------------------
[root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.srv.world/emailAddress=xxx@srv.world
Getting Private key
[root@www certs]# chmod 400 server.*
chmod 666 /var/lib/postfix/smtpd_scache.db
-------------------------------------------------------------------------------------------
# vi /etc/postfix/main.cf
##SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
##SSL
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
# vi /etc/postfix/master.cf
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf
# line 8: change
ssl = yes
# line 14,15: specify certificates
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
OR
ssl_cert = </etc/pki/tls/certs/server.crt
ssl_key = </etc/pki/tls/certs/server.key
systemctl enable saslauthd
systemctl restart saslauthd
systemctl restart postfix
systemctl restart dovecot
------------------------------------
Test of saslauthd:
# testsaslauthd -u $user -p $password -s smtp 0: OK "Success."
smtpd.conf:
# vi /etc/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login
---------------------