Postfix MTA Dovecot IMAP/POP3 Server with SSL for IMAP,POP3, and SMTP Auth

Goal: Have a working SMTP process that can accept mail from remote MTAs for
locally hosted domains as well as relay mail for SMTP authenticated clients
to the appropriate destinations.

We want to be able to use the same username and password for SMTP auth
clients (such as Outlook or Thunderbird or handhelds) as we use for incoming
imap.

A. Install the needed packages:

apt-get install \
libsasl2-2 libsasl2-modules postfix dovecot-common dovecot-imapd dovecot-pop3d

B. Setup /etc/postfix/main.cf

B1. Basic postfix settings for users and maps:

# relayhost = 
mynetworks = 127.0.0.0/8
myhostname = esoomllub.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost, hash:/etc/postfix/mydestination
virtual_maps  = hash:/etc/postfix/virtual/addresses

The mydestination hash file: /etc/postfix/mydestination will contain a list
of the domains that the system will accept mail locally for.

Edit this file and put each domain or subdomain on a line by itself,
followed by a tab and then the domain again.

Run this command to refresh this database:

cd /etc/postfix; postmap mydestination

The virtual_maps database allows you to map an incoming email address to a
local system account (an entry in /etc/passwd - i.e. a valid user).

Format is email alias, tab, then the local user account. You can also use
this file to redirect or forward emails. In this case the right hand side
would be one or more accounts and/or fully qualified email addresses.

example:

dev@abc.com dbrooks,testman@example.com,kent

This is how you would create a mailing list.

Run this command to refresh this database:

cd /etc/postfix/virtual/; postmap addresses

B2. Tuning - these settings help keep system usage reasonable and make sure
not to abuse remote MTAs. Note that the max number of recipients an email
passing thru the system can deliver to is set to 100. 

## tweaks to improve delivery to yahoo.com:
default_process_limit = 10
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 2
initial_destination_concurrency = 2
smtpd_client_connection_count_limit = 10

default_destination_recipient_limit = 100

smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_threshold_time = 225s

disable_vrfy_command = yes
smtpd_timeout = 180s

smtpd_error_sleep_time = 3s
smtpd_helo_required = yes

# The message_size_limit parameter limits the total size in bytes of
# a message, including envelope information.
message_size_limit = 45000000

C. sasl (smtp auth) configuration

SMTP AUTH allows mail clients that have user accounts to login and relay
mail.

C1. In the master dovecot (imap) server we configure a socket in the postfix
chroot dir that the postfix process will be able to use to ask dovecot
whether the SMTP Auth login and password should be accepted.

/etc/dovecot/dovecot.conf

The settings are in the auth default stanza:

auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi
  # NOTE: See also disable_plaintext_auth setting.
  mechanisms = plain login
        
  socket listen {
    
    client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix      
    }
  }

C2. Restart dovecot:
/etc/init.d/dovecot stop
/etc/init.d/dovecot start

tail -f /var/log/mail.log

Ensure that there are no errors.

C3. Configure postfix to talk to dovecot. Add these settings to
/etc/postfix/main.cf:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

/etc/init.d/postfix stop
/etc/init.d/postfix start

tail -f /var/log/mail.log

Ensure that there are no errors.

C4. postfix master.cf process configuration:

Ensure that the smtp and smtpd service lines are uncommented. They should
look like this:

smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

You will need to restart postfix again and check for errors after/if
changing this config file.

C5. At this point we can test the configuration using swaks:

This test should fail - since we are NOT an open relay:
swaks -f jlarsen@richweb.com -t jlarsen@richweb.com -s 208.73.137.146

AND we see:
<** 554 5.7.1 : Relay access denied

which is good.

swaks -f jlarsen@richweb.com -t customseo@esoomllub.com -s 208.73.137.146

And that works since customseo@esoomllub.com is a valid recipient:
<- 250 2.0.0 Ok: queued as F3632C38096

Now we test with smtp auth. jlarsen@richweb.com is NOT a local destination,
so we are asking the server to relay for us, just liek a mail client would
that is using this server for relay:

swaks -f customseo@esoomllub.com -t jlarsen@richweb.com -s 208.73.137.146 \
-au jlarsen -ap 99test99 -apt

jlarsen is a local valid user account 99test99 is the password, so this
works as expected:

<- 250 2.0.0 Ok: queued as F3632C38096

Now we break the password intentionally:

swaks -f customseo@esoomllub.com -t jlarsen@richweb.com -s 208.73.137.146
-au jlarsen -ap 99test9XX -apt

<** 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
-> AUTH PLAIN \0jlarsen\099test9XX
<** 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
*** No authentication type succeeded

And we see that it is blocked due to login failure (correct).

C6. We use an open relay checker such as:

http://www.dnsgoodies.com/

just to be sure our server is not open in any way.

Good News!
All tests for an open relay on your mail server failed.
Your mail server does not allow open relay.

D. Using SSL to secure IMAP and SMTP Auth

D1. Generate a key:

cd /etc/postfix;

openssl rand -out rand_seed 131072
ps aux | md5sum >> rand_seed
wait some time ... a few sec or a minute
ps aux | md5sum >> rand_seed
wait some time ... a few sec or a minute
ps aux | md5sum >> rand_seed

Generate the key:
openssl genrsa -rand file:rand_seed2 -rand file:rand_seed -out esoomllub.key 2048

rm -f rand_seed*

Generate and Self Sign the cert:
openssl req -new -x509 -nodes -sha1 -days 1460 -key esoomllub.key -out esoomllub.com.crt

Used these parameters in the dialogue:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Virginia
Locality Name (eg, city) []:Glen Allen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Richweb, Inc
Organizational Unit Name (eg, section) []:Richweb Hosting
Common Name (eg, YOUR name) []:esoomllub.com
Email Address []:kallen@richweb.com

D2. Edit /etc/postfix/main.cf:

# TLS parameters
smtpd_tls_cert_file=/etc/postfix/esoomllub.com.crt
smtpd_tls_key_file=/etc/postfix/esoomllub.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

D3. Edit /etc/dovecot/dovecot.conf

protocols = imaps pop3s

disable_plaintext_auth = yes
# Disable SSL/TLS support.
ssl_disable = no

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root.
ssl_cert_file = /etc/postfix/esoomllub.com.crt
ssl_key_file = /etc/postfix/esoomllub.key

ssl_verify_client_cert = no

# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168

# SSL ciphers to use
ssl_cipher_list = ALL:!LOW

# Show protocol level SSL errors.
#verbose_ssl = no

D4. Restart dovecot and postfix

E. Mail Client Setup

I suggest testing with Mozilla Thunderbird. If jlarsen is the unix/user account, then the smtp
auth and imap settings should use jlarsen as the username.

E1. IMAP Settings:
ServerName: esoomllub.com
Port: 993
User Name: jlarsen
Use Secure connection: SSL

E2. Outgoing SMTP Server Settings:
ServerName: esoomllub.com
Port: 587
User Name: jlarsen
Use Secure connection: TLS

E3. Thunderbird quirks

Dont select the TLS; if available, as you may end up using the connection
unsecured, in which case your password could be stolen.

You can setup pop3s instead of imaps if you prefer. In Thunderbird select
pop3 instead of imap, and use port 995 (pop3s - pop3 over ssl).

The only catch I found was that you need to check SSL, and not TSL for IMAP
and POP3 in Thunderbird. The TSL negotiation was failing for some reason.
But the logs on the server side showed successful SSL negotiation when SSL
was checked so it should be very secure (no passwords in clear text) which
is the goal.

From Our Clients...

"I've been very pleased with the programming and development projects we've assigned to Richweb. Our company has used them for several projects and their development team has always addressed our needs quickly and has stayed on target with their project estimates. Unlike other web development firms we've used in the past, Richweb's work is always top-notch will little or no surprises. I would recommend them to anyone needing web development and programming for their business."

— Michael Ingalls CTO, SportsWar

www.richweb.com © 2009 Richweb, Inc. All Rights Reserved. login