I was afraid that this page might at some time disappear an just kind of backing it up!
Step by Step
1. Install sasl2 and saslauthd, preferably from ports. Make sure your ports tree is current before proceeding:cd /usr/ports/security/cyrus-sasl22. Configure sasl2:
make all install clean
cd ../cyrus-sasl2-saslauthd
make all install clean
cd /usr/local/lib/sasl23. Disable unused sasl authentication methods -- if you skip this step, you will have problems with Microsoft Outlook/Outlook Express clients trying to perform NTLM auth on your server. You can also move any other unused auth methods to the "deactivated" directory if you know of others you do not plan to use or support.
echo "pwcheck_method: saslauthd" > smtpd.conf
cd /usr/local/lib/sasl24. Download the latest Postfix source and Postfix TLS patch and unpack them:
mkdir deactivated
mv *ntlm* deactivated
5. Apply the TLS patch to the Postfix source per README file contained in pfixtls* package:
cd /tmp
mkdir postfix-work
cd postfix-work
wget http://postfix.energybeam.com/source/official/postfix-2.0.15.tar.gz
wget ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.16-2.0.15-0.9.7b.tar.gz
gunzip *
tar xf postfix-2.0.15.tar && tar xf pfixtls-0.8.16-2.0.15-0.9.7b.tar
patch -p0 < pfixtls-0.8.16-2.0.15-0.9.7b/pfixtls.diff6. Build Postfix with SSL and SASL support. Your syntax may vary if your libs aren't in the right place or if you're using different versions than I am:
cd postfix-2.0.15If you are upgrading from an existing, known-good version of Postfix:
make makefiles CCARGS="-DUSE_SASL_AUTH -I/usr/local/include/sasl \
-DHAS_SSL -I/usr/local/include/openssl" AUXLIBS="-L/usr/local/lib \
-R/usr/local/lib -lsasl2 -lssl -lcrypto"
make upgradeIf this is a new install:
make install7. Verify that the correct libraries have been linked in:
ldd /usr/libexec/postfix/smtpdYou should see the following:
smtpd:If you see libsasl2, libssl, and libcrypto, congratulations -- the server is ready to support SASL and TLS.
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28096000)
libssl.so.3 => /usr/local/lib/libssl.so.3 (0x280aa000)
libcrypto.so.3 => /usr/local/lib/libcrypto.so.3 (0x280db000)
libc.so.5 => /usr/lib/libc.so.5 (0x281df000)
8. Generate an SSL certificate:
mkdir /etc/postfix/ssl9. Enter configuration options for Postfix:
cd /etc/postfix/ssl
openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650
/etc/postfix/main.cf:Your settings for the two "restrictions" lines may vary, but it is important to note that the sasl inclusion must be the first entry in the list.
# sasl config
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks
# tls config10. Pray.
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
11. Start the SASL auth daemon:
/usr/local/etc/rc.d/saslauthd.sh start12. Start your mail server:
postfix start13. Test to ensure that the server is actually able to accept TLS connections and SASL auth:
telnet localhost 25You should see several lines of text, including these three:
EHLO example.com
250-STARTTLS
250-AUTH LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5
If you have all three, your server is ready to authenticate via SASL and TLS, and can also negotiate TLS connections with other TLS-aware mail servers.
14. Fire up a mail client, configure it to use authentication on outbound SMTP and try sending a message. You should see a log entry similar to the one below each time a user authenticates to send a message. If the message shows up, that's good - it's likely they're authenticating properly and their message will be relayed. Make sure that Postfix actually relays the message, though, because if you've not configured main.cf correctly, it'll still bounce the message.
Sep 12 11:40:29 hostname postfix/smtpd[79381]: C5FA32855D: client=unknown[x.x.x.x], sasl_method=LOGIN, sasl_username=joeuser
15. Test TLS/SSL. This part is easy. Go back to your mail client and find the checkbox where you specify that the connection for outgoing mail should be authenticated *and* use SSL. Enable it, and try sending a message. You should see some TLS negotiation banners similar to the following in the same mail log:
Sep 12 12:56:04 hostname postfix/smtpd[79849]: setting up TLS connection from machine.example.com[x.x.x.x]
Sep 12 12:56:04 hostname postfix/smtpd[79849]: TLS connection established from machine.example.com[x.x.x.x]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Now the fun part is watching to see what other mail servers can speak TLS. Now that your server is TLS-aware, it will attempt to negotiate a TLS session with any mail server that supports it. Surprisingly, I noticed at least ten servers supporting it as they relayed mail to users on my hosts.
If you're upset with the fact that the certificate you generated is self-signed, you can get your own signed cert at SSL.com among others. Clients will likely display a message indicating the certificate received is not valid; users can safely dismiss this message and should not see it again. Once you use a signed cert, users will not see an error when using your TLS-aware server.
No comments:
Post a Comment