Difference between revisions of "Postfix: Authentikasi SMTP untuk Client"

From OnnoWiki
Jump to navigation Jump to search
 
(6 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
 +
==Siapkan Dovecot==
  
How to enable user authentication for a Postfix SMTP server with SASL
+
Edit agar dovecot siap digunakan sebagai auth server untuk postfix
Last updated on January 28, 2014 Authored by Sarmed Rahman 4 Comments
 
  
Every mail server administrator dreads his or her server becoming compromised by spammers. A lot of effort, time and even money is spent on securing mail servers and making sure that the servers do not become open relay.
+
vim /etc/dovecot/conf.d/10-master.conf
  
To combat against spambots in an SMTP server, Postfix in general uses the mynetworks parameter to specify the trusted sender network i.e., LAN. In a typical scenario, the users stationed in the internal LAN are legitimate users, and Postfix will happily accept SMTP requests from them, and forward the emails towards destination. Although this used to be the standard practice in the past, today's users want mobility. Everyone wants to be able to send/receive emails in their phones/tablets/laptops at work, home, on the go, or even from their favorite coffee shop around the corner. For people who are in the fields for critical services, a simple email alert could save a lot of time, effort and money.
+
Pastikan
  
To cope up with the mobility need, Postfix started to support another method of validating users. Simple Authentication and Security Layer (SASL) is a framework that can be used by many connection-oriented Internet protocols for securing data, servers and users. With SASL enabled, Postfix will not accept any incoming SMTP connections without proper authentication. As smart spammer can imitate a legitimate email account, no SMTP from even internal users are accepted without authentication.
+
## The listener is added under the service auth section ##
 +
service auth {
 +
unix_listener /var/spool/postfix/private/auth {
 +
mode = 0660
 +
        user = postfix
 +
        group = postfix
 +
  } ##end listener
 +
} ## end service auth
  
This tutorial will focus on setting up a Postfix SMTP server to use Dovecot SASL for user authentication. As Dovecot provides mechanisms for user authentication, Postfix will simply ask Dovecot to do the work for it. That way, there is no need to re-invent the wheel.
+
Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.
Prerequisites
 
  
    A working mail server running on postfix and dovecot2
+
vim /etc/dovecot/conf.d/10-auth.conf
    SSL/TLS support for the mail server3
 
  
Preparing Dovecot
+
auth_mechanisms = plain login
  
Backing up configuration files prior to modification is always a good idea.
+
plain authetication mechanism untuk Postfix
  
Since Dovecot will be the one doing most of the work, we will start configuration with Dovecot.
+
restart Dovecot
  
First of all, a listener is added to Dovecot. Postfix will use this listener to communicate with Dovecot.
+
service dovecot restart
root@mail:~# vim /etc/dovecot/conf.d/10-master.conf
 
  
## The listener is added under the service auth section ##
 
service auth {
 
unix_listener /var/spool/postfix/private/auth {
 
mode = 0660
 
        user = postfix
 
        group = postfix
 
  } ##end listener
 
} ## end service auth
 
  
The above definition places the socket to be used by Postfix at /var/spool/postfix/private/auth with permission 0660 for Postfix only.
 
root@mail:~# vim /etc/dovecot/conf.d/10-auth.conf
 
  
auth_mechanisms = plain login
+
==Generate Certificate==
  
The above parameter provides the plain login authentication mechanisms for Postfix.
+
Buat certificate untuk SSL
  
Finally, for the changes to take effect, we restart the Dovecot service as follows.
+
mkdir /etc/postfix/ssl
root@mail:~# service dovecot restart
+
cd /etc/postfix/ssl/
 +
openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr
  
Preparing Postfix
+
akan keluar
  
Necessary SST/TLS and SASL parameters are added in the configuration file main.cf.
+
Generating a 2048 bit RSA private key
root@mail:~# vim /etc/postfix/main.cf
+
......................+++
 +
..................+++
 +
writing new private key to 'onnocenter.id.key'
 +
-----
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [AU]:ID
 +
State or Province Name (full name) [Some-State]:DKI   
 +
Locality Name (eg, city) []:Jakarta
 +
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
 +
Organizational Unit Name (eg, section) []:IT
 +
Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id
 +
Email Address []:onno@onnocenter.id
 +
 +
Please enter the following 'extra' attributes
 +
to be sent with your certificate request
 +
A challenge password []:password
 +
An optional company name []:OnnoCenter
  
#### SASL ####
+
==Preparing Postfix==
## specify SASL type ##
 
smtpd_sasl_type = dovecot
 
  
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
+
Masukan parameter SASL ke config file
smtpd_sasl_path = private/auth
 
  
## postfix appends the domain name for SASL logins that do not have the domain part ##
+
vim /etc/postfix/main.cf
smtpd_sasl_local_domain = example.tst
 
  
## SASL default policy ##
+
#### SASL ####
smtpd_sasl_security_options = noanonymous
+
## specify SASL type ##
 +
smtpd_sasl_type = dovecot
  
## for legacy application compatibility ##
+
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
broken_sasl_auth_clients = yes
+
smtpd_sasl_path = private/auth
 
+
## enable SMTP auth ##
+
## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_auth_enable = yes
+
smtpd_sasl_local_domain = $myhostname
 
+
## smtp checks ##
+
## SASL default policy ##
## these checks are based on first match, so sequence is important ##
+
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+
 +
## for legacy application compatibility ##
 +
broken_sasl_auth_clients = yes
 +
 +
## enable SMTP auth ##
 +
smtpd_sasl_auth_enable = yes
 +
 +
## smtp checks ##
 +
## these checks are based on first match, so sequence is important ##
 +
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
  
 +
Ringkas-nya
  
 +
smtpd_sasl_type = dovecot
 +
smtpd_sasl_path = private/auth
 
  smtpd_sasl_auth_enable = yes
 
  smtpd_sasl_auth_enable = yes
 
  smtpd_sasl_security_options = noanonymous
 
  smtpd_sasl_security_options = noanonymous
Line 86: Line 112:
  
  
The official guideline can be consulted for more details on available parameters and their function.
 
 
SSL/TLS specific parameters are added to the server as well.
 
root@mail:~# vim /etc/postfix/main.cf
 
  
#### SSL/TLS parameters ####
+
Masukan SSL/TLS parameter ke config file
  
## 'encrypt' will enforce SSL. Not recommended for live servers ##
+
vim /etc/postfix/main.cf
smtpd_tls_security_level = may
 
#smtpd_tls_security_level = encrypt
 
  
smtpd_tls_received_header = yes  
+
#### SSL/TLS parameters ####
smtpd_tls_auth_only = no  
+
 +
## 'encrypt' will enforce SSL. Not recommended for live servers ##
 +
smtpd_tls_security_level = may
 +
#smtpd_tls_security_level = encrypt
 +
 +
smtpd_tls_received_header = yes  
 +
smtpd_tls_auth_only = no  
 +
 +
## loglevel 3 or 4 can be used during troubleshooting ##
 +
smtpd_tls_loglevel = 1
 +
 +
## path to certificate and key file ##
 +
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
 +
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
 +
smtpd_use_tls=yes
 +
 +
## server will announce STARTTLS ##
 +
smtp_tls_note_starttls_offer = yes
 +
 +
smtpd_tls_session_cache_timeout = 3600s
 +
tls_random_source = dev:/dev/urandom
  
## loglevel 3 or 4 can be used during troubleshooting ##
 
smtpd_tls_loglevel = 1
 
  
## path to certificate and key file ##
 
smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem
 
smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem
 
smtpd_use_tls=yes
 
  
## server will announce STARTTLS ##
+
Ringkas-nya
smtp_tls_note_starttls_offer = yes
 
  
smtpd_tls_session_cache_timeout = 3600s
 
  
Now Postfix is reloaded with updated settings.
+
smtpd_tls_security_level = encrypt
root@mail:~# service postfix restart
+
smtpd_tls_received_header = yes
 +
smtpd_tls_auth_only = yes
 +
smtpd_tls_loglevel = 1
 +
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
 +
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
 +
smtpd_use_tls=yes
 +
smtp_tls_note_starttls_offer = yes
 +
smtpd_tls_session_cache_timeout = 3600s
 +
tls_random_source = dev:/dev/urandom
  
At this point, Postfix will not allow SMTP connections without authentication.
+
==Restart Postfix==
Mail User Agent Configuration
 
  
Your mail client is configured with mandatory authentication for SMTP as shown below.
+
service postfix restart
  
Troubleshooting
 
  
If SASL is not working correctly, the following troubleshooting may help.
+
==Cek Relay==
Enabling Verbose Postfix Logs
 
  
To increase the level of output in Postfix log, the "-v" parameter can be added in the following file.
+
$ telnet mail.example.tst 25
root@mail:/etc/postfix# vim /etc/postfix/master.cf
 
  
smtp      inet n      -       -       -       -       smtpd -v
+
  ehlo  mail.example.tst
 +
250- mail.example.tst
 +
250-PIPELINING
 +
250-SIZE 10240000
 +
250-VRFY
 +
250-ETRN
 +
250-STARTTLS
 +
250-AUTH PLAIN LOGIN
 +
250-AUTH=PLAIN LOGIN
 +
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
  
Now there should be more verbose information the log file at /var/log/mail.log, which can help with the troubleshooting process.
 
Telnet to port 25
 
  
telnet connection to port 25 should be successful.
 
$ telnet mail.example.tst 25
 
  
ehlo  mail.example.tst
+
==Cek SMTP AUTH Support==
250- mail.example.tst
 
250-PIPELINING
 
250-SIZE 10240000
 
250-VRFY
 
250-ETRN
 
250-STARTTLS
 
250-AUTH PLAIN LOGIN
 
250-AUTH=PLAIN LOGIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
  
Amongst other features that the SMTP server advertises, the STARTTLS and AUTH features should be available.
+
Lakukan
  
Sending mails using telnet should fail, and no authentication information should be sent to the server.
+
telnet onnocenter.id 25
$ telnet mail.example.tst 25
 
  
ehlo  mail.example.tst
+
Harusnya keluar
mail from:sarmed@example.tst
 
250 2.1.0 Ok
 
rcpt to:sarmed@example.tst
 
554 5.7.1 : Relay access denied
 
  
Tuning parameter – mynetworks
+
Connected to onnocenter.id.
 
+
Escape character is '^]'.
Earlier in the tutorial, the Postfix server was configured to allow SMTP connections originated in the trusted network i.e., mynetworks, as shown in /etc/postfix/main.cf.
+
220 onnocenter.id ESMTP
 
+
ehlo onnocenter.id
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+
250-onnocenter.id
 
+
250-PIPELINING
To make sure that mails originating from mynetworks do not pass through unauthenticated, /etc/postfix/main.cf can be modified as follows.
+
250-SIZE 10240000
 
+
250-VRFY
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
+
250-ETRN
 
+
250-STARTTLS
Based on the requirements, permit_mynetworks can be allowed or denied later on.
+
250-AUTH PLAIN LOGIN
 
+
250-AUTH=PLAIN LOGIN
To sum up, SASL can provide additional security to a mail server by enforcing mandatory authentication to users for SMTP requests. As users may use a mail server from anywhere, SASL can meet with the security requirements that do not conflict with the mobility of users.
+
250-ENHANCEDSTATUSCODES
 
+
250-8BITMIME
Hope this helps.
+
250 DSN
  
 +
Buat password
  
 +
printf 'username\0username\0password' | mmencode
  
 +
atau
  
 +
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
  
 +
Lakukan seperti
  
 +
printf 'test\0test\0testpass' | mmencode
 +
dGVzdAB0ZXN0AHRlc3RwYXNz
  
 +
Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.
  
 +
Test authentication
  
 +
Connected to localhost.
 +
Escape character is '^]'.
 +
220 onnocenter.id ESMTP
 +
ehlo onnocenter.id
 +
250-onnocenter.id
 +
250-PIPELINING
 +
250-SIZE 10240000
 +
250-VRFY
 +
250-ETRN
 +
250-STARTTLS
 +
250-AUTH PLAIN LOGIN
 +
250-AUTH=PLAIN LOGIN
 +
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
 +
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
 +
235 2.7.0 Authentication successful
 +
quit
 +
221 2.0.0 Bye
  
 
==Referensi==
 
==Referensi==
Line 190: Line 245:
 
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
 
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
 
* http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
 
* http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
 +
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
 
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
 
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html

Latest revision as of 06:18, 8 May 2015

Sumber: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html


Siapkan Dovecot

Edit agar dovecot siap digunakan sebagai auth server untuk postfix

vim /etc/dovecot/conf.d/10-master.conf

Pastikan

## The listener is added under the service auth section ##
service auth { 
	unix_listener /var/spool/postfix/private/auth {
		mode = 0660
        	user = postfix
        	group = postfix
  	} ##end listener
} ## end service auth

Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.

vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login

plain authetication mechanism untuk Postfix

restart Dovecot

service dovecot restart


Generate Certificate

Buat certificate untuk SSL

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr

akan keluar

Generating a 2048 bit RSA private key
......................+++
..................+++
writing new private key to 'onnocenter.id.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:DKI     
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id
Email Address []:onno@onnocenter.id 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:OnnoCenter

Preparing Postfix

Masukan parameter SASL ke config file

vim /etc/postfix/main.cf
#### SASL ####
## specify SASL type ##
smtpd_sasl_type = dovecot
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
smtpd_sasl_path = private/auth

## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_local_domain = $myhostname

## SASL default policy ##
smtpd_sasl_security_options = noanonymous

## for legacy application compatibility ##
broken_sasl_auth_clients = yes

## enable SMTP auth ##
smtpd_sasl_auth_enable = yes

## smtp checks ##
## these checks are based on first match, so sequence is important ##
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Ringkas-nya

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
... 
smtpd_recipient_restrictions = 
   permit_sasl_authenticated, 
   permit_mynetworks, 
   check_relay_domains


Masukan SSL/TLS parameter ke config file

vim /etc/postfix/main.cf
#### SSL/TLS parameters ####

## 'encrypt' will enforce SSL. Not recommended for live servers ##
smtpd_tls_security_level = may 
#smtpd_tls_security_level = encrypt 

smtpd_tls_received_header = yes 
smtpd_tls_auth_only = no 

## loglevel 3 or 4 can be used during troubleshooting ##
smtpd_tls_loglevel = 1 

## path to certificate and key file ##
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes 

## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes 

smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom


Ringkas-nya


smtpd_tls_security_level = encrypt 
smtpd_tls_received_header = yes 
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1 
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes 
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom

Restart Postfix

service postfix restart


Cek Relay

$ telnet mail.example.tst 25
ehlo  mail.example.tst
250- mail.example.tst
250-PIPELINING 
250-SIZE 10240000 
250-VRFY 
250-ETRN 
250-STARTTLS 
250-AUTH PLAIN LOGIN 
250-AUTH=PLAIN LOGIN 
250-ENHANCEDSTATUSCODES 
250-8BITMIME 
250 DSN 


Cek SMTP AUTH Support

Lakukan

telnet onnocenter.id 25

Harusnya keluar

Connected to onnocenter.id.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Buat password

printf 'username\0username\0password' | mmencode

atau

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'

Lakukan seperti

printf 'test\0test\0testpass' | mmencode
dGVzdAB0ZXN0AHRlc3RwYXNz

Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.

Test authentication

Connected to localhost.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

Referensi