Installation and Configuration of Postfix Server on Centos 6.5 Part-2/4 :...

Installation and Configuration of Postfix Server on Centos 6.5 Part-2/4 : SASL and TLS/SSL

by -
0 3417

How To Configure SASL and TLS/SSL in Postfix on centos 6.5:

SASL provide a mechanism to authenticate remote users by username and password who wish to send mail through the mail server.

Install required packages:

# yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain –y

Configuring SASL in postfix:

[[email protected] ~]# vim /etc/postfix/main.cf   (Add the following lines to bottom of file)

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

:wq! (save&exit)

Configuring SASL in dovecot:

[[email protected] ~]# cp /etc/dovecot.conf /etc/dovecot.conf.ori

[[email protected] ~]# vim /etc/dovecot.conf  (Add in the following lines at the bottom of the file)

service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
:wq! (save&exit)

[[email protected] ~]# service postfix restart
[[email protected] ~]# service dovecot restart
Verification of SASL on Dovecot and Postfix:
Let us check if the /var/spool/postfix/private/auth is created or not

[[email protected] ~]# ls -l /var/spool/postfix/private/auth
srw-rw—- 1 postfix postfix 0 Nov  8 04:09 /var/spool/postfix/private/auth

[[email protected] ~]# cat /etc/dovecot/conf.d/10-logging.conf | grep log_path
#log_path = syslog
log_path = /var/log/dovecot.log

[[email protected] ~]# telnet localhost 25
Trying ::1…
Connected to localhost.
Escape character is ‘^]’.
220 kvit.6987.in ESMTP Postfix
ehlo server
250-kvit.6987.in
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

SSL/TLS in postfix:

SASL provides a mechanism to authenticate remote users by username and password who wish to send mail through mail server. Remote users retrieve mail through IMAP and/or POP3 mechanisms provided by dovecot. There is a problem in these mechanisms are sending usernames and passwords in plain text across the Internet (SASL does support various encrypted authentication methods such as DIGEST-MD5). This poses a security risk as anyone can intercept this information and steal login details so we need to encrypt the connection. SSL (Secure Sockets Layer), and more recently TLS (Transport Layer Security), offer a mechanism to encrypt communications between two hosts, in our case our mail server and our remote client.

Generating SSL/TLS certificates:

[[email protected] ~]# mkdir /etc/postfix/ssl
[[email protected] ~]# cd /etc/postfix/ssl/
[[email protected] ~]# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 2048
[[email protected] ~]# chmod 600 smtpd.key
[[email protected] ~]# openssl req -new -key smtpd.key -out smtpd.csr
[[email protected] ~]# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
[[email protected] ~]# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
[[email protected] ~]# mv -f smtpd.key.unencrypted smtpd.key
[[email protected] ~]# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Edit /etc/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins.
On a 64Bit CentOS you must edit the file /etc/sasl2/smtpd.conf . It should look like this:

[[email protected]]# vim /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

Configuring SSL/TLS in postfix:

Now we have generated our certificates, we can configure postfix to use them to encrypt SASL authentication sessions. We need to add the following to /etc/postfix/main.cf:
[[email protected] ~]# vim /etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
tls_random_exchange_name = /var/lib/postfix/prng_exch
smtpd_tls_auth_only = yes

:wq! (save & exit)

[[email protected] ~]# service saslauthd start
[[email protected] ~]# chkconfig saslauthd on
[[email protected] ~]# service postfix restart
[[email protected] ~]# chkconfig postfix on

How to enable SSL (Port 465) on postfix in centos 6.5:

Uncomment the lines highlighted in red color in master.cf file:
[[email protected] ~]# vim /etc/postfix/master.cf
smtp inet n – n – – smtpd
#submission inet n – n – – smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n – n – – smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING

After this put port 465 in advanced setting as outgoing server (smtp) in outlook configuration and set the encryption type as SSL.

How to enable TLS (Port 587) on postfix in centos 6.5:
Uncomment the lines highlighted in red color in master.cf file:
[[email protected] ~]# vim /etc/postfix/master.cf
smtp inet n – n – – smtpd
submission inet n – n – – smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#smtps inet n – n – – smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
After this put port 587 in advanced setting as outgoing server (SMTP) in outlook configuration and set the encryption type as TLS.

Don’t forget to reload postfix configuration settings:
#Service postfix reload

Now we can telnet into the server and check postfix is offering TLS or SSL:

$ telnet localhost 25 or 587(TLS) or 465(SSL)
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

If everything is working as expected, you should see the server offering STARTTLS and because we have specified ‘smtpd_tls_auth_only = yes’, plain text SASL authentication (AUTH PLAIN LOGIN and AUTH=PLAIN LOGIN) is no longer available.

Now you will notice TLS connection in logs:

17

Configure TLS/SSL in Dovecot on postfix:

# vim /etc/dovecot/dovecot.conf

Uncomment the following line:

## Line 20 – umcomment ##
protocols = imap pop3 lmtp

Edit /etc/dovecot/conf.d/10-auth.conf

# vim /etc/dovecot/conf.d/10-auth.conf

And make the changes as shown below:

## line 9 – uncomment##
disable_plaintext_auth = yes

## Line 97 – Add a letter “login”
auth_mechanisms = plain login

# vim /etc/dovecot/conf.d/10-ssl.conf

And make the changes as shown below:
## line 6 – uncomment##
ssl = yes
## and then add the following lines:
ssl_cert = </etc/postfix/ssl/smtpd.crt
ssl_key = </etc/postfix/ssl/smtpd.key
ssl_ca = </etc/postfix/ssl/cacert.pem
ssl_cipher_list = ALL:!LOW:!SSLv2

# service postfix restart

#service dovecot restart

Download PDF

CEO, KV IT-Solutions Pvt. Ltd. | [email protected] | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “

SIMILAR ARTICLES

0 1573

0 1205

0 1101

NO COMMENTS

Leave a Reply