{"id":904,"date":"2012-08-02T15:56:02","date_gmt":"2012-08-02T07:56:02","guid":{"rendered":"http:\/\/rmohan.com\/?p=904"},"modified":"2012-08-02T16:00:55","modified_gmt":"2012-08-02T08:00:55","slug":"postfix-smtp-auth-tls-howto","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=904","title":{"rendered":"Postfix-SMTP-AUTH-TLS-Howto"},"content":{"rendered":"

Postfix-SMTP-AUTH-TLS-Howto<\/span><\/strong>
\n<\/span><\/p>\n

Version 1.0
\nAuthor: Falko Timme <falko [dot] timme [at] projektfarm [dot] de>
\nLast edited 12\/31\/2003 <\/span><\/p>\n

You can find the latest version of this document at http:\/\/www.howtoforge.com<\/a><\/div>\n

This document describes how to install a mail server based on postfix that is capable of SMTP-AUTH and TLS. It should work (maybe with slight changes concerning paths etc.) on all *nix operating systems. I tested it on Debian Woody and Fedora Core 1 so far.<\/span><\/p>\n

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.<\/span><\/p>\n

This document comes without warranty of any kind!<\/span><\/p>\n

 <\/p>\n

1 Get the Sources<\/strong><\/span><\/p>\n

We need the following software: openssl, cyrus-sasl2, postfix and the TLS patch for postfix. We will install the software from the \/tmp<\/span><\/em> directory.<\/span><\/p>\n

cd \/tmp<\/em><\/span>
\nwget http:\/\/www.openssl.org\/source\/openssl-0.9.7c.tar.gz<\/span><\/em>
\nwget –passive-ftp ftp:\/\/ftp.andrew.cmu.edu\/pub\/cyrus-mail\/cyrus-sasl-2.1.17.tar.gz<\/span><\/em>
\nwget –passive-ftp ftp:\/\/ftp.aet.tu-cottbus.de\/pub\/postfix_tls\/related\/postfix\/postfix-2.0.16.tar.gz<\/span><\/em>
\nwget –passive-ftp ftp:\/\/ftp.aet.tu-cottbus.de\/pub\/postfix_tls\/pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz<\/span><\/em><\/p>\n

 <\/p>\n

2 Install Openssl<\/strong><\/span><\/p>\n

tar xvfz openssl-0.9.7c.tar.gz
\ncd openssl-0.9.7c
\n.\/config
\nmake
\nmake install<\/em><\/span><\/p>\n

 <\/p>\n

3 Install Cyrus-sasl<\/strong><\/span><\/p>\n

cd \/tmp
\ntar xvfz cyrus-sasl-2.1.17.tar.gz
\ncd cyrus-sasl-2.1.17
\n.\/configure –enable-anon –enable-plain –enable-login –disable-krb4 –with-saslauthd=\/var\/run\/saslauthd –with-pam –with-openssl=\/usr\/local\/ssl –with-plugindir=\/usr\/local\/lib\/sasl2 –enable-cram –enable-digest –enable-otp<\/em><\/span> (1 line!)<\/span>
\nmake
\nmake install<\/span><\/em><\/p>\n

If <\/span>\/usr\/lib\/sasl2<\/span><\/em> exists: <\/span>
\nmv \/usr\/lib\/sasl2 \/usr\/lib\/sasl2_orig<\/span><\/em><\/p>\n

ln -s \/usr\/local\/lib\/sasl2 \/usr\/lib\/sasl2<\/span><\/em><\/p>\n

Create the file \/usr\/local\/lib\/sasl2\/smtpd.conf<\/span><\/em>:<\/span><\/p>\n\n\n\n
\n
# This sets smtpd to authenticate using the saslauthd daemon.\r\npwcheck_method:saslauthd\r\n# This allows only plain, login, cram-md5 and digest-md5 as the authentication mechanisms.\r\nmech_list: plain login cram-md5 digest-md5<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
 <\/p>\n
4 Install Postfix<\/span><\/strong><\/p>\n
cd \/tmp
\ntar xvfz pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz
\ntar xvfz postfix-2.0.16.tar.gz
\ncd postfix-2.0.16
\nuseradd postfix
\ngroupadd postdrop
\npatch -p1 < ..\/pfixtls-0.8.16-2.0.16-0.9.7b\/pfixtls.diff
\nmake makefiles CCARGS=”-DHAS_SSL -DUSE_SASL_AUTH -I\/usr\/local\/include\/sasl -I\/usr\/local\/ssl\/include” AUXLIBS=”-L\/usr\/local\/ssl\/lib -L\/usr\/local\/lib -R\/usr\/local\/lib -lsasl2 -lssl -lcrypto” <\/span><\/em>(1 line!)<\/span>
\nmake
\nmake install<\/span><\/em> (accept the default values)<\/span>
\n
\ncp \/etc\/postfix\/aliases \/etc\/
\nnewaliases<\/em><\/span><\/p>\n
Create<\/span> \/etc\/init.d\/postfix<\/span><\/em>:<\/span><\/p>\n\n\n\n
\n
#!\/bin\/bash\r\n#\r\n# postfix        This script controls the postfix daemon.\r\n#\r\n\r\n# description: Postfix MTA\r\n# processname: postfix\r\n\r\ncase \"$1\" in\r\n    start)\r\n        \/usr\/sbin\/postfix start\r\n    ;;\r\n    stop)\r\n        \/usr\/sbin\/postfix stop\r\n    ;;\r\n    reload)\r\n        \/usr\/sbin\/postfix reload\r\n    ;;\r\n    restart)\r\n        $0 stop\r\n        $0 start\r\n    ;;\r\n    *)\r\n    echo \"Usage: $0 {start|stop|reload|restart}\"\r\n    exit 1\r\nesac\r\nexit 0<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
chmod 755 \/etc\/init.d\/postfix<\/span><\/em><\/p>\n
In order to start  postfix<\/em><\/span> at boot time do the following:<\/span><\/p>\n
ln -s \/etc\/init.d\/postfix \/etc\/rc2.d\/S20postfix
\nln -s \/etc\/init.d\/postfix \/etc\/rc3.d\/S20postfix
\nln -s \/etc\/init.d\/postfix \/etc\/rc4.d\/S20postfix
\nln -s \/etc\/init.d\/postfix \/etc\/rc5.d\/S20postfix
\nln -s \/etc\/init.d\/postfix \/etc\/rc0.d\/K20postfix
\nln -s \/etc\/init.d\/postfix \/etc\/rc1.d\/K20postfix
\nln -s \/etc\/init.d\/postfix \/etc\/rc6.d\/K20postfix<\/span><\/em><\/p>\n
Our postfix will run chrooted in \/var\/spool\/postfix<\/span><\/em> so we have to copy a few files:<\/span><\/p>\n
mkdir -p \/var\/spool\/postfix\/etc
\ncd \/etc
\ncp localtime services hosts resolv.conf \/var\/spool\/postfix\/etc\/
\nmkdir -p \/var\/spool\/postfix\/var\/run
\nmv -f \/var\/run\/saslauthd\/ \/var\/spool\/postfix\/var\/run\/
\nchmod 755 \/var\/spool\/postfix\/var\/run\/saslauthd\/
\nln -s \/var\/spool\/postfix\/var\/run\/saslauthd\/ \/var\/run\/saslauthd<\/span><\/em><\/p>\n
Now we have to generate the certificate files needed for TLS:<\/span><\/p>\n
mkdir \/etc\/postfix\/ssl
\ncd \/etc\/postfix\/ssl\/
\n<\/em><\/span><\/p>\n
If<\/span> \/usr\/bin\/openssl<\/em><\/span> exists:<\/span><\/p>\n
mv<\/em><\/span> \/usr\/bin\/openssl<\/em><\/span> \/usr\/bin\/openssl<\/em><\/span>_orig<\/span><\/em><\/span><\/p>\n
ln -s \/usr\/local\/ssl\/bin\/openssl \/usr\/bin\/openssl
\nopenssl genrsa -des3 -rand \/etc\/hosts -out smtpd.key 1024<\/em><\/span><\/p>\n
<- Enter a password for smtpd.key.<\/span><\/span><\/p>\n
chmod 600 smtpd.key
\nopenssl req -new -key smtpd.key -out smtpd.csr<\/em><\/span><\/p>\n
<- Again, enter your password for smtpd.key.
\n<- Enter your Country Name (e.g., “DE”).
\n<- Enter your State or Province Name.
\n<- Enter your City.
\n<- Enter your Organization Name (e.g., the name of your company).
\n<- Enter your Organizational Unit Name (e.g. “IT Department”).
\n<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
\n<- Enter your Email Address.
\n<\/span><\/p>\n
The following information is optional:<\/span><\/p>\n
<- Enter a challenge password.
\n<- Enter an optional company name.<\/span><\/p>\n
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt<\/em><\/span><\/p>\n
<- Again, enter your password for smtpd.key.<\/span>
\n<\/em><\/span><\/p>\n
openssl rsa -in smtpd.key -out smtpd.key.unencrypted<\/em><\/span><\/p>\n
<- Again, enter your password for smtpd.key.<\/span>
\n<\/em><\/span><\/p>\n
mv -f smtpd.key.unencrypted smtpd.key
\nopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650<\/em><\/span><\/p>\n
<- Again, enter your password for smtpd.key.
\n<- Enter your Country Name (e.g., “DE”).
\n<- Enter your State or Province Name.
\n<- Enter your City.
\n<- Enter your Organization Name (e.g., the name of your company).
\n<- Enter your Organizational Unit Name (e.g. “IT Department”).
\n<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
\n<- Enter your Email Address.<\/span><\/p>\n
Edit \/etc\/postfix\/main.cf<\/span><\/em> in order to enable SMTP-AUTH and TLS:<\/span><\/p>\n
postconf -e ‘mydomain = example.com’
\npostconf -e ‘myhostname = server1.$mydomain’
\npostconf -e ‘smtpd_sasl_local_domain =’
\npostconf -e ‘smtpd_sasl_auth_enable = yes’
\npostconf -e ‘smtpd_sasl_security_options = noanonymous’
\npostconf -e ‘broken_sasl_auth_clients = yes’
\npostconf -e ‘smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,check_relay_domains’
\npostconf -e ‘inet_interfaces = all’
\npostconf -e ‘alias_maps = hash:\/etc\/aliases’
\n<\/em><\/span>postconf -e ‘smtpd_tls_auth_only = no’
\npostconf -e ‘smtp_use_tls = yes’
\npostconf -e ‘smtpd_use_tls = yes’
\npostconf -e ‘smtp_tls_note_starttls_offer = yes’
\npostconf -e ‘smtpd_tls_key_file = \/etc\/postfix\/ssl\/smtpd.key’
\npostconf -e ‘smtpd_tls_cert_file = \/etc\/postfix\/ssl\/smtpd.crt’
\npostconf -e ‘smtpd_tls_CAfile = \/etc\/postfix\/ssl\/cacert.pem’
\npostconf -e ‘smtpd_tls_loglevel = 1’
\npostconf -e ‘smtpd_tls_received_header = yes’
\npostconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
\npostconf -e ‘tls_random_source = dev:\/dev\/urandom’<\/span><\/em><\/span><\/p>\n
 <\/p>\n
5 Configure Saslauthd<\/strong><\/span><\/p>\n
Create \/etc\/init.d\/saslauthd<\/span><\/em>:<\/span><\/p>\n\n\n\n
\n
#!\/bin\/sh -e\r\n\r\nNAME=saslauthd\r\nDAEMON=\"\/usr\/sbin\/${NAME}\"\r\nDESC=\"SASL Authentication Daemon\"\r\nDEFAULTS=\/etc\/default\/saslauthd\r\n\r\ntest -f \"${DAEMON}\" || exit 0\r\n\r\n# Source defaults file; edit that file to configure this script.\r\nif [ -e \"${DEFAULTS}\" ]; then\r\n    . \"${DEFAULTS}\"\r\nfi\r\n\r\n# If we're not to start the daemon, simply exit\r\nif [ \"${START}\" != \"yes\" ]; then\r\n    exit 0\r\nfi\r\n\r\n# If we have no mechanisms defined\r\nif [ \"x${MECHANISMS}\" = \"x\" ]; then\r\n    echo \"You need to configure ${DEFAULTS} with mechanisms to be used\"\r\n    exit 0\r\nfi\r\n\r\n# Add our mechanimsms with the necessary flag\r\nfor i in ${MECHANISMS}; do\r\n    PARAMS=\"${PARAMS} -a ${i}\"\r\ndone\r\n\r\n# Consider our options\r\ncase \"${1}\" in\r\n  start)\r\n        echo -n \"Starting ${DESC}: \"\r\n        ln -fs \/var\/spool\/postfix\/var\/run\/${NAME} \/var\/run\/${NAME}\r\n        ${DAEMON} ${PARAMS}\r\n        echo \"${NAME}.\"\r\n        ;;\r\n  stop)\r\n        echo -n \"Stopping ${DESC}: \"\r\n        PROCS=`ps aux | grep -iw '\/usr\/sbin\/saslauthd' | grep -v 'grep' |awk '{print $2}' | tr '\\n' ' '`\r\n        if [ \"x${PROCS}\" != \"x\" ]; then\r\n          kill -15 ${PROCS} &> \/dev\/null\r\n        fi\r\n        echo \"${NAME}.\"\r\n        ;;\r\n  restart|force-reload)\r\n        $0 stop\r\n        sleep 1\r\n        $0 start\r\n        echo \"${NAME}.\"\r\n        ;;\r\n  *)\r\n        echo \"Usage: \/etc\/init.d\/${NAME} {start|stop|restart|force-reload}\" >&2\r\n        exit 1\r\n        ;;\r\nesac\r\n\r\nexit 0<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
chmod 755 \/etc\/init.d\/saslauthd<\/span><\/em><\/p>\n
In order to start  saslauthd<\/em><\/span> at boot time do the following:<\/span><\/p>\n
ln -s \/etc\/init.d\/saslauthd \/etc\/rc2.d\/S20saslauthd
\nln -s \/etc\/init.d\/saslauthd \/etc\/rc3.d\/S20saslauthd
\nln -s \/etc\/init.d\/saslauthd \/etc\/rc4.d\/S20saslauthd
\nln -s \/etc\/init.d\/saslauthd \/etc\/rc5.d\/S20saslauthd
\nln -s \/etc\/init.d\/saslauthd \/etc\/rc0.d\/K20saslauthd
\nln -s \/etc\/init.d\/saslauthd \/etc\/rc1.d\/K20saslauthd
\nln -s \/etc\/init.d\/saslauthd \/etc\/rc6.d\/K20saslauthd<\/span><\/em><\/p>\n
Then create \/etc\/default\/saslauthd<\/span><\/em>:<\/span><\/p>\n\n\n\n
\n
# This needs to be uncommented before saslauthd will be run automatically\r\nSTART=yes\r\n\r\n# You must specify the authentication mechanisms you wish to use.\r\n# This defaults to \"pam\" for PAM support, but may also include\r\n# \"shadow\" or \"sasldb\"\r\nMECHANISMS=shadow<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
If you find out that saslauthd<\/span><\/em> is located in \/usr\/local\/sbin<\/span><\/em> instead of \/usr\/sbin<\/span><\/em> create a symbolic link:<\/span><\/p>\n
ln -s \/usr\/local\/sbin\/saslauthd \/usr\/sbin\/saslauthd<\/em><\/span><\/p>\n
Then start saslauthd<\/span><\/em> and postfix<\/span><\/em>:<\/span><\/p>\n
\/etc\/init.d\/saslauthd start<\/span><\/em><\/p>\n
\/etc\/init.d\/postfix start<\/em><\/span><\/p>\n
 <\/p>\n
6 Test your Configuration<\/strong><\/span><\/p>\n
To see if SMTP-AUTH and TLS work properly now run the following command:<\/span><\/p>\n
telnet localhost 25<\/span><\/em><\/span><\/p>\n
After you have established the connection to your postfix mail server type<\/span><\/p>\n
ehlo localhost<\/span><\/em><\/span><\/p>\n
If you see the lines<\/span><\/p>\n
250-STARTTLS<\/span><\/em><\/span><\/p>\n
and<\/span><\/p>\n
250-AUTH<\/span><\/em><\/span><\/p>\n
everything is fine.<\/span><\/p>\n
\"\"<\/p>\n
Type<\/span><\/p>\n
quit<\/span><\/em><\/span><\/p>\n
to return to the system’s shell.<\/span>
\nFurther (Debian-specific) information about this topic can be found here: http:\/\/www.projektfarm.com\/en\/support\/debian_setup\/index.html<\/a>.<\/span><\/p>\n
 <\/p>\n
Links<\/strong><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
Postfix-SMTP-AUTH-TLS-Howto <\/p>\n
Version 1.0 Author: Falko Timme <falko [dot] timme [at] projektfarm [dot] de> Last edited 12\/31\/2003 <\/p>\n
 You can find the latest version of this document at http:\/\/www.howtoforge.com <\/p>\n
This document describes how to install a mail server based on postfix that is capable of SMTP-AUTH and TLS. It should work (maybe with slight changes […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/904"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=904"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/904\/revisions"}],"predecessor-version":[{"id":906,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/904\/revisions\/906"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}