Tag Archives: SASL

Securing Postfix

cd /etc/postfix

vi main.cf

 

####### smtp auth
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_sasl_auth_enable =   yes
smtpd_sasl_type = cyrus
local_recipient_maps =
smtpd_use_tls = yes
smtp_tls_note_starttls_offer   = yes
smtpd_tls_key_file =   /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file =   /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile =   /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header   = yes
smtpd_tls_session_cache_timeout   = 3600s
tls_random_source =   dev:/dev/urandom
########

 

Then:

vi master.cf

 

Paste under smtp:

smtps   inet n   –   n   – – smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes

 

Check the smtpd.conf file and amend it:

locate smtpd.conf

vi /usr/lib/sasl2/smtpd.conf

 

Delete the contents of the file and paste into it:

pwcheck_method: saslauthd
mech_list: plain login

To check the SASL available mechanisms run:

saslauthd -V

Set SASL authentication to start at system boot:

chkconfig –levels 235 saslauthd on

Set up the encryption keys:

mkdir /etc/postfix/ssl

cd ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Set up the client certificate for importing into Internet Explorer (for Outlook) / Thunderbird (this will suppress warnings about using a self signed certificate):

openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out OutlookSMTP.p12

Reload the config:

postfix reload

if your mail server is behind a firewall (Assuming the LAN address of your server is 192.168.0.99), add these rules on your firewall:

 

iptables -A FORWARD -i   extif -p tcp –dport 465 -d 192.168.0.99 -o intif -j ACCEPT

iptables -A FORWARD -o   extif -p tcp –sport 465 -s 192.168.0.99 -i intif -j ACCEPT

iptables -t nat -A PREROUTING -i extif -p tcp -d extip2 –dport 465 -j dnat –to 192.168.0.99:465

Testing

Check if the port is listening:

netstat -ntpl | grep master

tcp 0 0 127.0.0.1:10025  0.0.0.0:*   LISTEN   8366/master

tcp 0 0 0.0.0.0:465   0.0.0.0:*   LISTEN   8366/master

tcp 0 0 0.0.0.0:25    0.0.0.0:*   LISTEN 8366/master

Test if TLS and AUTH is working:

telnet localhost 465

[root@ls1 postfix]# telnet localhost 465

Trying 127.0.0.1…

Connected to localhost.localdomain (127.0.0.1).

Escape character is ‘^]’.

220 yourserver ESMTP Postfix

ehlo me

250-yourserver

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250 8BITMIME

^]

telnet> quit

Connection closed.

[root@ls1 postfix]#

To test further create an account and attain the Base64 Mime password with mmencode or the following perl script:

#!/usr/bin/perl
use strict;
use MIME::Base64;
if ( $#ARGV !=1) {
die “Usage: encode_sasl_plain.pl <username> <password>n”;
}
print encode_base64(“$ARGV[0]?$ARGV[0]?$ARGV[1]”);
exit 0;

 

Generate the Mime password:

encode_sasl_plain.pl <username> <password>

Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4

telnet localhost 465

Trying 127.0.0.1…

Connected to localhost.localdomain (127.0.0.1).

Escape character is ‘^]’.

220 yourserver ESMTP Postfix

ehlo me

250-yourserver

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH PLAIN Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4

235 2.0.0 Authentication successful

**If the authentication is not successful, you may have to change the MECH value in /etc/sysconfig/saslauthd and /etc/init.d/saslauthd.

Possible values are listed with the command

saslauthd -V

and restart saslauthd:

/etc/init.d/saslauthd restart

Test the connection from outside:

telnet yourserver 465

cameron@cs:~$ telnet yourserver 465

Trying your-ip…

Connected to yourserver.

Escape character is ‘^]’.

220 yourserver ESMTP Postfix

ehlo me

250-yourserver

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH PLAIN Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4

235 2.0.0 Authentication successful

Tagged , , , , , ,