Postfix: Authentikasi SMTP untuk Client

From OnnoWiki
Jump to navigation Jump to search

Sumber: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html


Siapkan Dovecot

Edit agar dovecot siap digunakan sebagai auth server untuk postfix

vim /etc/dovecot/conf.d/10-master.conf

Pastikan

## The listener is added under the service auth section ##
service auth { 
	unix_listener /var/spool/postfix/private/auth {
		mode = 0660
        	user = postfix
        	group = postfix
  	} ##end listener
} ## end service auth

Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.

vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login

plain authetication mechanism untuk Postfix

restart Dovecot

service dovecot restart


Generate Certificate

Buat certificate untuk SSL

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr

akan keluar

Generating a 2048 bit RSA private key
......................+++
..................+++
writing new private key to 'onnocenter.id.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:DKI     
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id
Email Address []:onno@onnocenter.id 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:OnnoCenter

Preparing Postfix

Masukan parameter SASL ke config file

vim /etc/postfix/main.cf
#### SASL ####
## specify SASL type ##
smtpd_sasl_type = dovecot
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
smtpd_sasl_path = private/auth

## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_local_domain = $myhostname

## SASL default policy ##
smtpd_sasl_security_options = noanonymous

## for legacy application compatibility ##
broken_sasl_auth_clients = yes

## enable SMTP auth ##
smtpd_sasl_auth_enable = yes

## smtp checks ##
## these checks are based on first match, so sequence is important ##
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Ringkas-nya

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
... 
smtpd_recipient_restrictions = 
   permit_sasl_authenticated, 
   permit_mynetworks, 
   check_relay_domains


Masukan SSL/TLS parameter ke config file

vim /etc/postfix/main.cf
#### SSL/TLS parameters ####

## 'encrypt' will enforce SSL. Not recommended for live servers ##
smtpd_tls_security_level = may 
#smtpd_tls_security_level = encrypt 

smtpd_tls_received_header = yes 
smtpd_tls_auth_only = no 

## loglevel 3 or 4 can be used during troubleshooting ##
smtpd_tls_loglevel = 1 

## path to certificate and key file ##
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes 

## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes 

smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom


Ringkas-nya


smtpd_tls_security_level = encrypt 
smtpd_tls_received_header = yes 
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1 
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes 
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom

Restart Postfix

service postfix restart


Cek Relay

$ telnet mail.example.tst 25
ehlo  mail.example.tst
250- mail.example.tst
250-PIPELINING 
250-SIZE 10240000 
250-VRFY 
250-ETRN 
250-STARTTLS 
250-AUTH PLAIN LOGIN 
250-AUTH=PLAIN LOGIN 
250-ENHANCEDSTATUSCODES 
250-8BITMIME 
250 DSN 


Cek SMTP AUTH Support

Lakukan

telnet onnocenter.id 25

Harusnya keluar

Connected to onnocenter.id.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Buat password

printf 'username\0username\0password' | mmencode

atau

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'

Lakukan seperti

printf 'test\0test\0testpass' | mmencode
dGVzdAB0ZXN0AHRlc3RwYXNz

Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.

Test authentication

Connected to localhost.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

Referensi