Installation and Configuration of Postfix Server on Centos 6.5 Part-2/4 :...

Installation and Configuration of Postfix Server on Centos 6.5 Part-2/4 : SASL and TLS/SSL

by -
0 2988

How To Configure SASL and TLS/SSL in Postfix on centos 6.5:

SASL provide a mechanism to authenticate remote users by username and password who wish to send mail through the mail server.

Install required packages:

# yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain –y

Configuring SASL in postfix:

[root@kvit ~]# vim /etc/postfix/main.cf   (Add the following lines to bottom of file)

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

:wq! (save&exit)

Configuring SASL in dovecot:

[root@kvit ~]# cp /etc/dovecot.conf /etc/dovecot.conf.ori

[root@kvit ~]# vim /etc/dovecot.conf  (Add in the following lines at the bottom of the file)

service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
:wq! (save&exit)

[root@kvit ~]# service postfix restart
[root@kvit ~]# service dovecot restart
Verification of SASL on Dovecot and Postfix:
Let us check if the /var/spool/postfix/private/auth is created or not

[root@kvit ~]# ls -l /var/spool/postfix/private/auth
srw-rw—- 1 postfix postfix 0 Nov  8 04:09 /var/spool/postfix/private/auth

[root@kvit ~]# cat /etc/dovecot/conf.d/10-logging.conf | grep log_path
#log_path = syslog
log_path = /var/log/dovecot.log

[root@kvit ~]# telnet localhost 25
Trying ::1…
Connected to localhost.
Escape character is ‘^]’.
220 kvit.6987.in ESMTP Postfix
ehlo server
250-kvit.6987.in
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

SSL/TLS in postfix:

SASL provides a mechanism to authenticate remote users by username and password who wish to send mail through mail server. Remote users retrieve mail through IMAP and/or POP3 mechanisms provided by dovecot. There is a problem in these mechanisms are sending usernames and passwords in plain text across the Internet (SASL does support various encrypted authentication methods such as DIGEST-MD5). This poses a security risk as anyone can intercept this information and steal login details so we need to encrypt the connection. SSL (Secure Sockets Layer), and more recently TLS (Transport Layer Security), offer a mechanism to encrypt communications between two hosts, in our case our mail server and our remote client.

Generating SSL/TLS certificates:

[root@pc1 ~]# mkdir /etc/postfix/ssl
[root@pc1 ~]# cd /etc/postfix/ssl/
[root@pc1 ~]# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 2048
[root@pc1 ~]# chmod 600 smtpd.key
[root@pc1 ~]# openssl req -new -key smtpd.key -out smtpd.csr
[root@pc1 ~]# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
[root@pc1 ~]# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
[root@pc1 ~]# mv -f smtpd.key.unencrypted smtpd.key
[root@pc1 ~]# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Edit /etc/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins.
On a 64Bit CentOS you must edit the file /etc/sasl2/smtpd.conf . It should look like this:

[root@pc1]# vim /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

Configuring SSL/TLS in postfix:

Now we have generated our certificates, we can configure postfix to use them to encrypt SASL authentication sessions. We need to add the following to /etc/postfix/main.cf:
[root@pc1 ~]# vim /etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
tls_random_exchange_name = /var/lib/postfix/prng_exch
smtpd_tls_auth_only = yes

:wq! (save & exit)

[root@pc1 ~]# service saslauthd start
[root@pc1 ~]# chkconfig saslauthd on
[root@pc1 ~]# service postfix restart
[root@pc1 ~]# chkconfig postfix on

How to enable SSL (Port 465) on postfix in centos 6.5:

Uncomment the lines highlighted in red color in master.cf file:
[root@pc1 ~]# vim /etc/postfix/master.cf
smtp inet n – n – – smtpd
#submission inet n – n – – smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n – n – – smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING

After this put port 465 in advanced setting as outgoing server (smtp) in outlook configuration and set the encryption type as SSL.

How to enable TLS (Port 587) on postfix in centos 6.5:
Uncomment the lines highlighted in red color in master.cf file:
[root@pc1 ~]# vim /etc/postfix/master.cf
smtp inet n – n – – smtpd
submission inet n – n – – smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#smtps inet n – n – – smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
After this put port 587 in advanced setting as outgoing server (SMTP) in outlook configuration and set the encryption type as TLS.

Don’t forget to reload postfix configuration settings:
#Service postfix reload

Now we can telnet into the server and check postfix is offering TLS or SSL:

$ telnet localhost 25 or 587(TLS) or 465(SSL)
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

If everything is working as expected, you should see the server offering STARTTLS and because we have specified ‘smtpd_tls_auth_only = yes’, plain text SASL authentication (AUTH PLAIN LOGIN and AUTH=PLAIN LOGIN) is no longer available.

Now you will notice TLS connection in logs:

17

Configure TLS/SSL in Dovecot on postfix:

# vim /etc/dovecot/dovecot.conf

Uncomment the following line:

## Line 20 – umcomment ##
protocols = imap pop3 lmtp

Edit /etc/dovecot/conf.d/10-auth.conf

# vim /etc/dovecot/conf.d/10-auth.conf

And make the changes as shown below:

## line 9 – uncomment##
disable_plaintext_auth = yes

## Line 97 – Add a letter “login”
auth_mechanisms = plain login

# vim /etc/dovecot/conf.d/10-ssl.conf

And make the changes as shown below:
## line 6 – uncomment##
ssl = yes
## and then add the following lines:
ssl_cert = </etc/postfix/ssl/smtpd.crt
ssl_key = </etc/postfix/ssl/smtpd.key
ssl_ca = </etc/postfix/ssl/cacert.pem
ssl_cipher_list = ALL:!LOW:!SSLv2

# service postfix restart

#service dovecot restart

Download PDF

NO COMMENTS

Leave a Reply

Required Captcha *