Difference between revisions of "Postfix: Authentikasi SMTP untuk Client"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 123: | Line 123: | ||
| + | ==Cek SMTP AUTH Support== | ||
| + | |||
| + | 12.3. Check for SMTP AUTH support | ||
| + | |||
| + | So, now that we've have enabled SASL authentication in the configuration we need to verify that Postfix serves us the new feature. We check from a remote host and telnet to the Postfix server. | ||
| + | |||
| + | S: 220 mail.example.com ESMTP Postfix | ||
| + | C: EHLO example.com | ||
| + | S: 250-mail.example.com | ||
| + | S: 250-PIPELINING | ||
| + | S: 250-SIZE 10240000 | ||
| + | S: 250-VRFY | ||
| + | S: 250-ETRN | ||
| + | S: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI | ||
| + | S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI | ||
| + | S: 250-XVERP | ||
| + | S: 250 8BITMIME | ||
| + | C: quit | ||
| + | S: 221 Bye | ||
| + | |||
| + | Notice the two new lines? | ||
| + | |||
| + | 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI | ||
| + | 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI | ||
| + | |||
| + | These are the lines that Postfix issues when it offers the use of SMTP AUTH and we can see two things from looking at them: | ||
| + | 12.3.1. Fallback feature | ||
| + | |||
| + | First let us remember the insecure fallback feature: | ||
| + | |||
| + | PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI is the order of the mechanisms in which a Mail client would try to authenticate to. If SASL issued ANONYMOUS in between LOGIN and DIGEST-MD5 we'd be lost or rather an open relay to every spammer in the world who knew this feature... | ||
| + | 12.3.2. Broken clients | ||
| + | |||
| + | Did you notice that there are two lines that only differ in an extra = in between AUTH and PLAIN. The AUTH=PLAIN statement is the one that broken clients need in order to recognize that they may use SMTP AUTH. | ||
| + | [Note] Note | ||
| + | |||
| + | If you don't see all the mechanisms as pointed out in this HOWTO it means that you didn't install or compile all the SASL mechanisms. Please make sure that you have at least the following as we are going to need them in the HOWTO: PLAIN LOGIN | ||
| + | 12.4. Check if SMTP AUTH works | ||
| + | |||
| + | Before we start and configure a Mail client to relay mail using SMTP AUTH we do one more last check. If we pass this we know were done with server side SMTP AUTH configuration. In this step we will telnet to the server and pass our username and password just to see if we pass the authentication. | ||
| + | |||
| + | Since we use PLAIN as mechanism we will have to pass our credentials plaintext. But hold, the credentials must be Base64 encoded, when we issue them. This can easily be done on our server. The basic command looks like this: | ||
| + | |||
| + | [root@example.com]# printf 'username\0username\0password' | mmencode | ||
| + | |||
| + | If you rather use PERL it looks like this: | ||
| + | |||
| + | [root@example.com]# perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");' | ||
| + | |||
| + | [Note] Note | ||
| + | |||
| + | Note that \0 appears twice in between the values? Make sure you don't forget them. | ||
| + | |||
| + | In our HOWTO we need to replace username and password with test and testpass. When we enter our command we get this: | ||
| + | |||
| + | [root@base readme]# printf 'test\0test\0testpass' | mmencode | ||
| + | dGVzdAB0ZXN0AHRlc3RwYXNz | ||
| + | |||
| + | So dGVzdAB0ZXN0AHRlc3RwYXNz is our Base64 encoded string that contains the username and password. Let's check out if this works. We start as usual and initiate the SMTP AUTH session by telling Postfix that we want to AUTH and also provide the mechanism PLAIN that we want to use in this test. | ||
| + | |||
| + | S: 220 mail.example.com ESMTP Postfix (1.1.7) | ||
| + | C: EHLO example.com | ||
| + | S: 250-mail.example.com | ||
| + | S: 250-PIPELINING | ||
| + | S: 250-SIZE 10240000 | ||
| + | S: 250-VRFY | ||
| + | S: 250-ETRN | ||
| + | S: 250-AUTH DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN | ||
| + | S: 250-AUTH=DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN | ||
| + | S: 250-XVERP | ||
| + | S: 250 8BITMIME | ||
| + | C: AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz | ||
| + | S: 235 Authentication successful | ||
| + | C: QUIT | ||
| + | S: 221 Bye | ||
| Line 134: | Line 209: | ||
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html | * http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html | ||
* http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html | * http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html | ||
| + | * http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html | ||
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html | * http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html | ||
Revision as of 05:56, 8 May 2015
Sumber: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
Siapkan Dovecot
Edit agar dovecot siap digunakan sebagai auth server untuk postfix
vim /etc/dovecot/conf.d/10-master.conf
Pastikan
## The listener is added under the service auth section ##
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
} ##end listener
} ## end service auth
Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.
vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
plain authetication mechanism untuk Postfix
restart Dovecot
service dovecot restart
Preparing Postfix
Masukan parameter SASL ke config file
vim /etc/postfix/main.cf
#### SASL #### ## specify SASL type ## smtpd_sasl_type = dovecot
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ## smtpd_sasl_path = private/auth ## postfix appends the domain name for SASL logins that do not have the domain part ## smtpd_sasl_local_domain = example.tst ## SASL default policy ## smtpd_sasl_security_options = noanonymous ## for legacy application compatibility ## broken_sasl_auth_clients = yes ## enable SMTP auth ## smtpd_sasl_auth_enable = yes ## smtp checks ## ## these checks are based on first match, so sequence is important ## smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes ... smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
Masukan SSL/TLS parameter ke config file
vim /etc/postfix/main.cf
#### SSL/TLS parameters #### ## 'encrypt' will enforce SSL. Not recommended for live servers ## smtpd_tls_security_level = may #smtpd_tls_security_level = encrypt smtpd_tls_received_header = yes smtpd_tls_auth_only = no ## loglevel 3 or 4 can be used during troubleshooting ## smtpd_tls_loglevel = 1 ## path to certificate and key file ## smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem smtpd_use_tls=yes ## server will announce STARTTLS ## smtp_tls_note_starttls_offer = yes smtpd_tls_session_cache_timeout = 3600s
Restart Postfix
service postfix restart
Cek Relay
$ telnet mail.example.tst 25
ehlo mail.example.tst 250- mail.example.tst 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Cek SMTP AUTH Support
12.3. Check for SMTP AUTH support
So, now that we've have enabled SASL authentication in the configuration we need to verify that Postfix serves us the new feature. We check from a remote host and telnet to the Postfix server.
S: 220 mail.example.com ESMTP Postfix C: EHLO example.com S: 250-mail.example.com S: 250-PIPELINING S: 250-SIZE 10240000 S: 250-VRFY S: 250-ETRN S: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI S: 250-XVERP S: 250 8BITMIME C: quit S: 221 Bye
Notice the two new lines?
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
These are the lines that Postfix issues when it offers the use of SMTP AUTH and we can see two things from looking at them: 12.3.1. Fallback feature
First let us remember the insecure fallback feature:
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI is the order of the mechanisms in which a Mail client would try to authenticate to. If SASL issued ANONYMOUS in between LOGIN and DIGEST-MD5 we'd be lost or rather an open relay to every spammer in the world who knew this feature... 12.3.2. Broken clients
Did you notice that there are two lines that only differ in an extra = in between AUTH and PLAIN. The AUTH=PLAIN statement is the one that broken clients need in order to recognize that they may use SMTP AUTH. [Note] Note
If you don't see all the mechanisms as pointed out in this HOWTO it means that you didn't install or compile all the SASL mechanisms. Please make sure that you have at least the following as we are going to need them in the HOWTO: PLAIN LOGIN 12.4. Check if SMTP AUTH works
Before we start and configure a Mail client to relay mail using SMTP AUTH we do one more last check. If we pass this we know were done with server side SMTP AUTH configuration. In this step we will telnet to the server and pass our username and password just to see if we pass the authentication.
Since we use PLAIN as mechanism we will have to pass our credentials plaintext. But hold, the credentials must be Base64 encoded, when we issue them. This can easily be done on our server. The basic command looks like this:
[root@example.com]# printf 'username\0username\0password' | mmencode
If you rather use PERL it looks like this:
[root@example.com]# perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
[Note] Note
Note that \0 appears twice in between the values? Make sure you don't forget them.
In our HOWTO we need to replace username and password with test and testpass. When we enter our command we get this:
[root@base readme]# printf 'test\0test\0testpass' | mmencode dGVzdAB0ZXN0AHRlc3RwYXNz
So dGVzdAB0ZXN0AHRlc3RwYXNz is our Base64 encoded string that contains the username and password. Let's check out if this works. We start as usual and initiate the SMTP AUTH session by telling Postfix that we want to AUTH and also provide the mechanism PLAIN that we want to use in this test.
S: 220 mail.example.com ESMTP Postfix (1.1.7) C: EHLO example.com S: 250-mail.example.com S: 250-PIPELINING S: 250-SIZE 10240000 S: 250-VRFY S: 250-ETRN S: 250-AUTH DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN S: 250-AUTH=DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN S: 250-XVERP S: 250 8BITMIME C: AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz S: 235 Authentication successful C: QUIT S: 221 Bye
Referensi
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
- http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html