Goal: Have a working SMTP process that can accept mail from remote MTAs for
locally hosted domains as well as relay mail for SMTP authenticated clients
to the appropriate destinations.
We want to be able to use the same username and password for SMTP auth
clients (such as Outlook or Thunderbird or handhelds) as we use for incoming
imap.
apt-get install \
libsasl2-2 libsasl2-modules postfix dovecot-common dovecot-imapd dovecot-pop3d
B1. Basic postfix settings for users and maps:
# relayhost = mynetworks = 127.0.0.0/8 myhostname = esoomllub.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost, hash:/etc/postfix/mydestination virtual_maps = hash:/etc/postfix/virtual/addresses
The mydestination hash file: /etc/postfix/mydestination will contain a list
of the domains that the system will accept mail locally for.
Edit this file and put each domain or subdomain on a line by itself,
followed by a tab and then the domain again.
Run this command to refresh this database:
cd /etc/postfix; postmap mydestination
The virtual_maps database allows you to map an incoming email address to a
local system account (an entry in /etc/passwd - i.e. a valid user).
Format is email alias, tab, then the local user account. You can also use
this file to redirect or forward emails. In this case the right hand side
would be one or more accounts and/or fully qualified email addresses.
example:
dev@abc.com dbrooks,testman@example.com,kent
This is how you would create a mailing list.
Run this command to refresh this database:
cd /etc/postfix/virtual/; postmap addresses
B2. Tuning - these settings help keep system usage reasonable and make sure
not to abuse remote MTAs. Note that the max number of recipients an email
passing thru the system can deliver to is set to 100.
## tweaks to improve delivery to yahoo.com: default_process_limit = 10 local_destination_concurrency_limit = 2 default_destination_concurrency_limit = 2 initial_destination_concurrency = 2 smtpd_client_connection_count_limit = 10 default_destination_recipient_limit = 100 smtp_pix_workaround_delay_time = 10s smtp_pix_workaround_threshold_time = 225s disable_vrfy_command = yes smtpd_timeout = 180s smtpd_error_sleep_time = 3s smtpd_helo_required = yes # The message_size_limit parameter limits the total size in bytes of # a message, including envelope information. message_size_limit = 45000000
SMTP AUTH allows mail clients that have user accounts to login and relay
mail.
C1. In the master dovecot (imap) server we configure a socket in the postfix
chroot dir that the postfix process will be able to use to ask dovecot
whether the SMTP Auth login and password should be accepted.
/etc/dovecot/dovecot.conf
The settings are in the auth default stanza:
auth default {
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi
# NOTE: See also disable_plaintext_auth setting.
mechanisms = plain login
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
C2. Restart dovecot:
/etc/init.d/dovecot stop
/etc/init.d/dovecot start
tail -f /var/log/mail.log
Ensure that there are no errors.
C3. Configure postfix to talk to dovecot. Add these settings to
/etc/postfix/main.cf:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/etc/init.d/postfix stop
/etc/init.d/postfix start
tail -f /var/log/mail.log
Ensure that there are no errors.
C4. postfix master.cf process configuration:
Ensure that the smtp and smtpd service lines are uncommented. They should
look like this:
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
You will need to restart postfix again and check for errors after/if
changing this config file.
C5. At this point we can test the configuration using swaks:
This test should fail - since we are NOT an open relay:
swaks -f jlarsen@richweb.com -t jlarsen@richweb.com -s 208.73.137.146
AND we see:
<** 554 5.7.1
which is good.
swaks -f jlarsen@richweb.com -t customseo@esoomllub.com -s 208.73.137.146
And that works since customseo@esoomllub.com is a valid recipient:
<- 250 2.0.0 Ok: queued as F3632C38096
Now we test with smtp auth. jlarsen@richweb.com is NOT a local destination,
so we are asking the server to relay for us, just liek a mail client would
that is using this server for relay:
swaks -f customseo@esoomllub.com -t jlarsen@richweb.com -s 208.73.137.146 \
-au jlarsen -ap 99test99 -apt
jlarsen is a local valid user account 99test99 is the password, so this
works as expected:
<- 250 2.0.0 Ok: queued as F3632C38096
Now we break the password intentionally:
swaks -f customseo@esoomllub.com -t jlarsen@richweb.com -s 208.73.137.146
-au jlarsen -ap 99test9XX -apt
<** 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
-> AUTH PLAIN \0jlarsen\099test9XX
<** 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
*** No authentication type succeeded
And we see that it is blocked due to login failure (correct).
C6. We use an open relay checker such as:
just to be sure our server is not open in any way.
Good News!
All tests for an open relay on your mail server failed.
Your mail server does not allow open relay.
D1. Generate a key:
cd /etc/postfix;
openssl rand -out rand_seed 131072
ps aux | md5sum >> rand_seed
wait some time ... a few sec or a minute
ps aux | md5sum >> rand_seed
wait some time ... a few sec or a minute
ps aux | md5sum >> rand_seed
Generate the key:
openssl genrsa -rand file:rand_seed2 -rand file:rand_seed -out esoomllub.key 2048
rm -f rand_seed*
Generate and Self Sign the cert:
openssl req -new -x509 -nodes -sha1 -days 1460 -key esoomllub.key -out esoomllub.com.crt
Used these parameters in the dialogue:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Virginia
Locality Name (eg, city) []:Glen Allen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Richweb, Inc
Organizational Unit Name (eg, section) []:Richweb Hosting
Common Name (eg, YOUR name) []:esoomllub.com
Email Address []:kallen@richweb.com
D2. Edit /etc/postfix/main.cf:
# TLS parameters
smtpd_tls_cert_file=/etc/postfix/esoomllub.com.crt
smtpd_tls_key_file=/etc/postfix/esoomllub.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
D3. Edit /etc/dovecot/dovecot.conf
protocols = imaps pop3s
disable_plaintext_auth = yes
# Disable SSL/TLS support.
ssl_disable = no
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root.
ssl_cert_file = /etc/postfix/esoomllub.com.crt
ssl_key_file = /etc/postfix/esoomllub.key
ssl_verify_client_cert = no
# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168
# SSL ciphers to use
ssl_cipher_list = ALL:!LOW
# Show protocol level SSL errors.
#verbose_ssl = no
D4. Restart dovecot and postfix
I suggest testing with Mozilla Thunderbird. If jlarsen is the unix/user account, then the smtp
auth and imap settings should use jlarsen as the username.
E1. IMAP Settings:
ServerName: esoomllub.com
Port: 993
User Name: jlarsen
Use Secure connection: SSL
E2. Outgoing SMTP Server Settings:
ServerName: esoomllub.com
Port: 587
User Name: jlarsen
Use Secure connection: TLS
E3. Thunderbird quirks
Dont select the TLS; if available, as you may end up using the connection
unsecured, in which case your password could be stolen.
You can setup pop3s instead of imaps if you prefer. In Thunderbird select
pop3 instead of imap, and use port 995 (pop3s - pop3 over ssl).
The only catch I found was that you need to check SSL, and not TSL for IMAP
and POP3 in Thunderbird. The TSL negotiation was failing for some reason.
But the logs on the server side showed successful SSL negotiation when SSL
was checked so it should be very secure (no passwords in clear text) which
is the goal.