SASL/SSL

Generate Postfix Self-Signed Certificate

We need to generate a self-signed SSL certificate to be used with Postfix and Dovecot.

yum -y install openssl cyrus*

[root@geekpeek ~]# mkdir /etc/postfix/ssl [root@geekpeek ~]# cd /etc/postfix/ssl/ [root@geekpeek ssl]# openssl genrsa -out postfix.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ .............+++ e is 65537 (0x10001) [root@geekpeek ssl]# openssl req -new -key postfix.key -out postfix.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:BD State or Province Name (full name) []: Dhaka Locality Name (eg, city) [Default City]:Dhaka Organization Name (eg, company) [Default Company Ltd]:Worldcm Network. Organizational Unit Name (eg, section) []:worldcm.com Common Name (eg, your name or your server's hostname) []:mail.worldcm.com Email Address []:admin@worldcm.com

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: world An optional company name []: worldcm [root@geekpeek ssl]# openssl x509 -req -days 3650 -in postfix.csr -signkey postfix.key -out postfix.crtSignature ok subject=/C=BD/L=Dhaka/O=worldcmNetwork/CN=mail.worldcm.net/emailAddress=admin@worldcm.com Getting Private key

Reconfigure Postfix

Add the following lines to the bottom of the “/etc/postfix/main.cf” file:

# SASLsmtpd_sasl_type = dovecot broken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous

# SSL/TLS

smtpd_use_tls=yes

smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/postfix.key smtpd_tls_cert_file = /etc/postfix/ssl/postfix.crt smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom

Reconfigure Dovecot

vi /etc/dovecot/conf.d/10-ssl.conf

# Uncomment  ssl = yes  # Change to point to SSL cert generated in Step 15  ssl_cert = </etc/postfix/ssl/postfix.crt  ssl_key = </etc/postfix/ssl/postfix.key

Restart Postfix and Dovecot

systemctl start dovecot

systemctl enable dovecot

systemctl restart dovecot.service

Required additional package cyrus-sasl-plain. 

You can install it by 

# yum -y install cyrus*

# yum -y install cyrus-sasl-plain

---------------------------------------------------------------------------

[root@www ~]# cd /etc/pki/tls/certs

[root@www certs]# make server.key

umask 77 ; \

/usr/bin/openssl genrsa -aes128 2048 > server.key

Generating RSA private key, 2048 bit long modulus

...

...

e is 65537 (0x10001)                    

Enter pass phrase:# set passphrase

Verifying - Enter pass phrase:# confirm                                               [ Enter pass phrase for smtpd.key: passwd: 1234 0r domainNmae] 

[root@www certs]# openssl rsa -in server.key -out server.key

Enter pass phrase for server.key:# input passphrase

writing RSA key

[root@www privet]# make server.csr

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----               ---------------

Country Name (2 letter code) [XX]:BD

State or Province Name (full name) []:Dhaka

Locality Name (eg, city) [Default City]:Dhaka

Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.

Organizational Unit Name (eg, section) []:worldcm.net

Common Name (eg, your name or your server's hostname) []:mail.worldcm.net

Email Address []: admin@worldcm.net

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:world1234 An optional company name []:worldcm

------------------------------------------------------------------

[root@www certs]#   openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok

subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.srv.world/emailAddress=xxx@srv.world

Getting Private key 

[root@www certs]#  chmod 400 server.*

                                      chmod 666 /var/lib/postfix/smtpd_scache.db

-------------------------------------------------------------------------------------------

# vi /etc/postfix/main.cf

##SASL

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_authenticated_header = yes

##SSL

smtpd_use_tls = yes

smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt

smtpd_tls_key_file = /etc/pki/tls/certs/server.key

smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

# vi /etc/postfix/master.cf

#tlsproxy  unix  -       -       n       -       0       tlsproxy

submission inet n       -       n       -       -       smtpd

   -o syslog_name=postfix/submission

   -o smtpd_tls_security_level=encrypt

   -o smtpd_sasl_auth_enable=yes

#  -o smtpd_reject_unlisted_recipient=no

#  -o smtpd_client_restrictions=$mua_client_restrictions

#  -o smtpd_helo_restrictions=$mua_helo_restrictions

#   -o smtpd_sender_restrictions=$mua_sender_restrictions

#    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

#    -o milter_macro_daemon_name=ORIGINATING

smtps     inet  n       -       n       -       -       smtpd

   -o syslog_name=postfix/smtps

   -o smtpd_tls_wrappermode=yes

   -o smtpd_sasl_auth_enable=yes

#  -o smtpd_reject_unlisted_recipient=no

#  -o smtpd_client_restrictions=$mua_client_restrictions

#  -o smtpd_helo_restrictions=$mua_helo_restrictions

#   -o smtpd_sender_restrictions=$mua_sender_restrictions

#    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

#    -o milter_macro_daemon_name=ORIGINATING

#628       inet  n       -       n       -       -       qmqpd

------------------------

[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf

# line 8: change

ssl = yes

# line 14,15: specify certificates

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

ssl_key = </etc/pki/dovecot/private/dovecot.pem

  OR

 ssl_cert = </etc/pki/tls/certs/server.crt

 ssl_key = </etc/pki/tls/certs/server.key

 systemctl enable saslauthd

 systemctl restart saslauthd

 systemctl restart postfix

 systemctl restart dovecot

------------------------------------

Test of saslauthd:

# testsaslauthd -u $user -p $password -s smtp 0: OK "Success."

smtpd.conf:

# vi /etc/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login

---------------------