renessl - ZenProjects/phpSMTPd GitHub Wiki

from disappeared page http://rene.bz/setting-smtp-authentication-over-tls-postfix/ of Rene Cunningham.

Setting up SMTP Authentication over TLS with Postfix

March 12, 2007

SMTP authentication allows a remote email client to authenticate and relay through a Mail Transfer Agent such as Sendmail, Qmail or Microsoft Exchange. It is essential that this is done using encryption (in this case Transport Layer Security (TLS)).

Remote SMTP clients will be authenticated using Cyrus SASL 2. We will be creating a SASL password database which will be used for authentication. We will not be authenticating users based on their unix accounts.

Within this tutorial you will accomplish the following

  • Create a signed SSL certificate using CAcert.org.
  • Authenticate SMTP AUTH users using SASL.
  • Send and receive email via an encrypted tunnel from Postfix with other email servers that support TLS.

Before starting this tutorial, it would be a good idea to backup your /etc/postfix directory just incase you have to revert back.

This tutorial has strong references to Debian, though with a bit of tweaking you should be able to use this tutorial for all Linux distributions.

TLS and Postfix

Create the SSL certificate

CAcert.org offers a free SSL certificate signing. Their goal is to eventually be acknowledge as an Certificate Authority (CA) and be included into mainstream browsers such as Firefox. This tutorial uses CAcert.org as the root CA to sign our SSL request certificate.

Sign up for a free account on CAcert.org. Having an account will allow you to add multiple domains to your CAcert.org account allowing you to generate certificates for these domains. You will have to make sure you can receive email for at least one of the following accounts on your domain; root, hostmaster, postmaster, admin, webmaster or email addresses that can be found on whois data of domain that you provided.

Create your private TLS key and Certificate Request using the openssl command. The Certificate Request will be sent to CAcert.org requesting that it be signed by a CA.

# chown root:postfix /etc/postfix/tls
# chmod u=rwx,go= /etc/postfix/tls
# cd /etc/postfix/tls
# openssl req -nodes -days 180 -newkey rsa:1024 -keyout key.pem -out req.pem
# chown root:postfix /etc/postfix/tls/key.pem
# chmod ug=r,o= /etc/postfix/tls/key.pem
# chown root:postfix /etc/postfix/tls/req.pem
# chmod u=r,go= /etc/postfix/tls/req.pem
# chmod u=rwx,go=rx /etc/postfix/tls

Follow the second and the final step in the following CAcert.org help page which will request a signed certificate.

https://www.cacert.org/help.php?id=6

For the final step is the help page above, you will need to copy and paste the file /etc/postfix/tls/req.pem into the CAcert.org website.

Once CAcert.org generates a signed certificate (which is in the final step found on the URL above) , copy and paste that certificate to the file

/etc/postfix/tls/root.crt

Check if Postfix has TLS enabled

Check what Postfix currently supports. This is done by using the SMTP command, EHLO which displays the mail servers capabilities.

$ telnet mail.terdmonk.com 25
Trying 202.86.52.14...
Connected to mail.terdmonk.com.
Escape character is '^]'.
220 mail.terdmonk.com ESMTP
EHLO terdmonk.com
250-mail.terdmonk.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Commands you need to type are in bold.

Substitute terdmonk.com with your own domain name.

If you do not see STARTTLS, such as the output above, your mail server does not support TLS. We will enable it in the step below.

Enable TLS

To enable TLS in Postfix, add the following to the /etc/postfix/main.cf file

# TLS parameters
smtpd_tls_CAfile                        = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file                     = /etc/postfix/tls/server.crt
smtpd_tls_key_file                      = /etc/postfix/tls/key.pem
smtpd_use_tls                           = yes
smtpd_tls_session_cache_database        = btree:${queue_directory}/smtpd_scache

smtp_tls_CAfile                         = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file                      = /etc/postfix/tls/server.crt
smtp_tls_key_file                       = /etc/postfix/tls/key.pem
smtp_tls_session_cache_database         = btree:${queue_directory}/smtp_scache
smtp_use_tls                            = yes

smtpd_tls_received_header               = yes
smtpd_tls_ask_ccert                     = yes
smtpd_tls_loglevel                      = 1
tls_random_source                       = dev:/dev/urandom
# TLS end

Reload postfix

# postfix reload

And now test what capabilities your SMTP server has.

# telnet mail.terdmonk.com 25
Trying 202.86.52.14...
Connected to mail.terdmonk.com.
Escape character is '^]'.
220 mail.terdmonk.com ESMTP
EHLO terdmonk.com
250-mail.terdmonk.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Commands you need to type are in bold.

Substitute terdmonk.com with your own domain name.

SASL and Postfix

Configure SASL

Postfix supports SASL which will be used to authenticate remote SMTP clients. SASL can also be used to authenticate the Postfix SMTP client to a remote SMTP server.

Installing SASL is beyond the scope of this tutorial. If your Linux distribution does not support Cyrus SASL, you can download it from the cyrusimap project github page : https://github.com/cyrusimap/cyrus-sasl and http://www.postfix.org/SASL_README.html.

Cyrus SASL provides the sasl authentication server which is a daemon process that authentication requests on behalf of the SASL library.

If your version of Postfix is configured to run in a chroot environment you will need to configure saslauthd to support this type of environment. This is done by configuring saslauthd to use the Postfix chroot path.

If you are using Debian, you will need to make minor adjustments to allow for saslauthd to use the Postfix chroot directory. Firstly edit the file

/etc/default/saslauthd

Set the authentication mechanism to sasldb

MECHANISMS="sasldb"

And set the OPTIONS variable to

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Then configure the saslauthd to be allowed to use the run time variable directory within the Postfix chroot. Also add the postfix user to the sasl group.

# dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
# adduser postfix sasl

Cyrus SASL 2.1.1 uses /etc/sasldb2 as the SASL password file which is maintained by the saslpasswd2 command. Since Postfix runs in a chroot, it does not have access to /etc/sasldb2. To overcome this, move /etc/sasldb2 to the Postfix chroot and allow Postfix to read the file

# mv /etc/sasldb2 /var/spool/postfix/etc/
# chown root:sasl /var/spool/postfix/etc/sasldb2
# ln -sf /var/spool/postfix/etc/sasldb2 /etc/

Configure Postfix to use SASL

Add the following to /etc/postfix/main.cf which will enable SASL authentication.

smtpd_sasl_auth_enable          = yes
broken_sasl_auth_clients        = yes
smtpd_recipient_restrictions    = permit_sasl_authenticated

Once Postfix is configured to use SASL you should see a few more capabilities when connecting to port 25 and running the EHLO command

$ telnet mail.terdmonk.com 25
Trying 202.86.52.14...
Connected to mail.terdmonk.com.
Escape character is '^]'.
220 mail.terdmonk.com ESMTP
EHLO terdmonk.com
250-mail.terdmonk.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5
250-AUTH=PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Commands you need to type are in bold.

Substitute terdmonk.com with your own domain name.

The server is now displaying its supported encryption methods such as DIGEST-MD5 and CRAM-MD5.Some email clients such as KMail support these encryption methods and you are able to choose which one to use when your configuring your SMTP account.

Add SASL accounts to allow for SMTP Authentication

To add an account to the SASL password file use saslpasswdb2. Its a good idea to include your SMTP servers domain within the SASL account information as some email clients can provide this information during the SMTP AUTH communication.

# saslpasswd2 -c -u `postconf -h myhostname` exampleuser

Substitute exampleuser for a username you wish to use

To view the list of current usernames within the SASL password file use sasldblistusers2

Testing

Testing SMTP Authentication

You can test whether SMTP Authentication is working properly by connecting to your mail server using telnet and executing raw SMTP commands. Firstly you will need to encode the username and password that was added to the SASL password file in Base64.

The following perl command will be able to do the encoding for you, though you will need the MIME::Base64 perl module.

$ perl -MMIME::Base64 -e 'print encode_base64("\000insert_username_here\000insert_password_here")'

Replace insert_username_here and insert_password_here with the username and password you used when creating the SASL account.

$ telnet mail.terdmonk.com 25
Trying 202.86.52.14...
Connected to mail.terdmonk.com.
Escape character is '^]'.
220 mail.terdmonk.com ESMTP
EHLO terdmonk.com
250-mail.terdmonk.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5
250-AUTH=PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3QAdGVzdDEyMzQ=
235 2.0.0 Authentication successful
HELO example.com
250 mail.terdmonk.com
MAIL FROM: [email protected]
250 2.1.0 Ok
RCPT TO: [email protected]
250 2.1.5 Ok
DATA
354 End data with .
Subject: testing SASL and SMTP AUTH
testing 123
.
250 2.0.0 Ok: queued as 8EC765C807B
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

Substitute terdmonk.com with your own domain name.

The base64 encoded string AHRlc3QAdGVzdDEyMzQ= is a test SASL account

Testing TLS

To verify Postfix supports TLS, it has to be displaying STARTTLS when you connect to port 25 with telnet and run the EHLO command. We set this up in a previous step.

To verify the SSL certificate is working and Postfix can negotiate the SSL encryption you can use the openssl command.

$ openssl s_client -starttls smtp -crlf -connect mail.terdmonk.com:25

Substitute mail.terdmonk.com with the hostname of your mail server.

Resources

Changelog

2007/03/18

  • Initial release