<< HOWTO-Index
NEW!
Visit my Linux forums!
 This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.
Postfix-SMTP-AUTH-TLS-Howto
Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 12/31/2003
This document describes
how to install a mail server based on postfix that is capable of SMTP-AUTH and
TLS. It should work (maybe with slight changes concerning paths etc.) on all
*nix operating systems. I tested it on Debian Woody and Fedora Core 1 so far.
This howto is meant
as a practical guide; it does not cover the theoretical backgrounds. They are
treated in a lot of other documents in the web.
This document comes
without warranty of any kind!
1 Get the Sources
We need the following
software: openssl, cyrus-sasl2, postfix and the TLS patch for postfix. We will
install the software from the /tmp
directory.
cd /tmp
wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
wget --passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz
wget --passive-ftp ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix/postfix-2.0.16.tar.gz
wget --passive-ftp ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz
2 Install Openssl
tar xvfz openssl-0.9.7c.tar.gz
cd openssl-0.9.7c
./config
make
make install
3 Install Cyrus-sasl
cd /tmp
tar
xvfz cyrus-sasl-2.1.17.tar.gz
cd cyrus-sasl-2.1.17
./configure --enable-anon --enable-plain --enable-login --disable-krb4 --with-saslauthd=/var/run/saslauthd
--with-pam --with-openssl=/usr/local/ssl --with-plugindir=/usr/local/lib/sasl2
--enable-cram --enable-digest --enable-otp (1
line!)
make
make install
If /usr/lib/sasl2
exists:
mv /usr/lib/sasl2 /usr/lib/sasl2_orig
ln -s /usr/local/lib/sasl2
/usr/lib/sasl2
Create the file
/usr/local/lib/sasl2/smtpd.conf:
# This sets smtpd to authenticate using the saslauthd daemon.
pwcheck_method:saslauthd
# This allows only plain, login, cram-md5 and digest-md5 as the authentication mechanisms.
mech_list: plain login cram-md5 digest-md5
|
4 Install Postfix
cd /tmp
tar xvfz pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz
tar xvfz postfix-2.0.16.tar.gz
cd postfix-2.0.16
useradd postfix
groupadd postdrop
patch -p1 < ../pfixtls-0.8.16-2.0.16-0.9.7b/pfixtls.diff
make makefiles CCARGS="-DHAS_SSL -DUSE_SASL_AUTH -I/usr/local/include/sasl
-I/usr/local/ssl/include" AUXLIBS="-L/usr/local/ssl/lib -L/usr/local/lib
-R/usr/local/lib -lsasl2 -lssl -lcrypto" (1
line!)
make
make install (accept
the default values)
cp /etc/postfix/aliases /etc/
newaliases
Create /etc/init.d/postfix:
#!/bin/bash
#
# postfix This script controls the postfix daemon.
#
# description: Postfix MTA
# processname: postfix
case "$1" in
start)
/usr/sbin/postfix start
;;
stop)
/usr/sbin/postfix stop
;;
reload)
/usr/sbin/postfix reload
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
exit 1
esac
exit 0
|
chmod 755 /etc/init.d/postfix
In order to start
postfix at boot time
do the following:
ln -s /etc/init.d/postfix
/etc/rc2.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc3.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc4.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc5.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc0.d/K20postfix
ln -s /etc/init.d/postfix /etc/rc1.d/K20postfix
ln -s /etc/init.d/postfix /etc/rc6.d/K20postfix
Our postfix will
run chrooted in /var/spool/postfix
so we have to copy a few files:
mkdir -p /var/spool/postfix/etc
cd /etc
cp localtime services hosts resolv.conf /var/spool/postfix/etc/
mkdir -p /var/spool/postfix/var/run
mv -f /var/run/saslauthd/ /var/spool/postfix/var/run/
chmod 755 /var/spool/postfix/var/run/saslauthd/
ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd
Now we have to
generate the certificate files needed for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
If /usr/bin/openssl
exists:
mv /usr/bin/openssl
/usr/bin/openssl_orig
ln -s /usr/local/ssl/bin/openssl
/usr/bin/openssl
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
<-
Enter a password for smtpd.key.
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
<- Again, enter
your password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.
The following information
is optional:
<- Enter a challenge
password.
<- Enter an optional company name.
openssl x509 -req -days
3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
<- Again, enter
your password for smtpd.key.
openssl rsa -in smtpd.key
-out smtpd.key.unencrypted
<- Again, enter
your password for smtpd.key.
mv -f smtpd.key.unencrypted
smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days
3650
<- Again, enter
your password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.
Edit /etc/postfix/main.cf
in order to enable SMTP-AUTH and TLS:
postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
postconf -e 'inet_interfaces = all'
postconf -e 'alias_maps = hash:/etc/aliases'
postconf
-e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
5 Configure
Saslauthd
Create /etc/init.d/saslauthd:
#!/bin/sh -e
NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd
test -f "${DAEMON}" || exit 0
# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
. "${DEFAULTS}"
fi
# If we're not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
exit 0
fi
# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
echo "You need to configure ${DEFAULTS} with mechanisms to be used"
exit 0
fi
# Add our mechanimsms with the necessary flag
for i in ${MECHANISMS}; do
PARAMS="${PARAMS} -a ${i}"
done
# Consider our options
case "${1}" in
start)
echo -n "Starting ${DESC}: "
ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME}
${DAEMON} ${PARAMS}
echo "${NAME}."
;;
stop)
echo -n "Stopping ${DESC}: "
PROCS=`ps aux | grep -iw '/usr/sbin/saslauthd' | grep -v 'grep' |awk '{print $2}' | tr '\n' ' '`
if [ "x${PROCS}" != "x" ]; then
kill -15 ${PROCS} &> /dev/null
fi
echo "${NAME}."
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
echo "${NAME}."
;;
*)
echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
|
chmod 755 /etc/init.d/saslauthd
In order to start
saslauthd at boot time
do the following:
ln -s /etc/init.d/saslauthd
/etc/rc2.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd
Then create /etc/default/saslauthd:
# This needs to be uncommented before saslauthd will be run automatically
START=yes
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb"
MECHANISMS=shadow
|
If you find out
that saslauthd is located
in /usr/local/sbin instead
of /usr/sbin create a
symbolic link:
ln -s /usr/local/sbin/saslauthd
/usr/sbin/saslauthd
Then start saslauthd
and postfix:
/etc/init.d/saslauthd start
/etc/init.d/postfix start
6 Test your
Configuration
To see if SMTP-AUTH
and TLS work properly now run the following command:
telnet
localhost 25
After you have
established the connection to your postfix mail server type
ehlo
localhost
If you see the
lines
250-STARTTLS
and
250-AUTH
everything is fine.

Type
quit
to return to the
system's shell.
Further (Debian-specific)
information about this topic can be found here: http://www.projektfarm.com/en/support/debian_setup/index.html.
Links
Postfix MTA: http://www.postfix.org/
OpenSSL: http://www.openssl.org/
Cyrus-SASL: http://asg.web.cmu.edu/sasl/
Postfix/TLS: http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/
NEW!
Visit my Linux forums!
 This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.
<< HOWTO-Index
|