Difference between revisions of "Postfix: Authentikasi SMTP untuk Client"

From OnnoWiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 30: Line 30:
  
 
  service dovecot restart
 
  service dovecot restart
 +
 +
 +
 +
==Generate Certificate==
 +
 +
Buat certificate untuk SSL
 +
 +
mkdir /etc/postfix/ssl
 +
cd /etc/postfix/ssl/
 +
openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr
 +
 +
akan keluar
 +
 +
Generating a 2048 bit RSA private key
 +
......................+++
 +
..................+++
 +
writing new private key to 'onnocenter.id.key'
 +
-----
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [AU]:ID
 +
State or Province Name (full name) [Some-State]:DKI   
 +
Locality Name (eg, city) []:Jakarta
 +
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
 +
Organizational Unit Name (eg, section) []:IT
 +
Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id
 +
Email Address []:onno@onnocenter.id
 +
 +
Please enter the following 'extra' attributes
 +
to be sent with your certificate request
 +
A challenge password []:password
 +
An optional company name []:OnnoCenter
  
 
==Preparing Postfix==
 
==Preparing Postfix==
Line 45: Line 82:
 
   
 
   
 
  ## postfix appends the domain name for SASL logins that do not have the domain part ##
 
  ## postfix appends the domain name for SASL logins that do not have the domain part ##
  smtpd_sasl_local_domain = example.tst
+
  smtpd_sasl_local_domain = $myhostname
 
   
 
   
 
  ## SASL default policy ##
 
  ## SASL default policy ##
Line 60: Line 97:
 
  smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 
  smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
  
 +
Ringkas-nya
  
 +
smtpd_sasl_type = dovecot
 +
smtpd_sasl_path = private/auth
 
  smtpd_sasl_auth_enable = yes
 
  smtpd_sasl_auth_enable = yes
 
  smtpd_sasl_security_options = noanonymous
 
  smtpd_sasl_security_options = noanonymous
Line 90: Line 130:
 
   
 
   
 
  ## path to certificate and key file ##
 
  ## path to certificate and key file ##
  smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem
+
  smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
  smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem
+
  smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
 
  smtpd_use_tls=yes  
 
  smtpd_use_tls=yes  
 
   
 
   
Line 98: Line 138:
 
   
 
   
 
  smtpd_tls_session_cache_timeout = 3600s  
 
  smtpd_tls_session_cache_timeout = 3600s  
   
+
  tls_random_source = dev:/dev/urandom
 +
 
 +
 
 +
 
 +
Ringkas-nya
 +
 
 +
 
 +
smtpd_tls_security_level = encrypt
 +
smtpd_tls_received_header = yes
 +
smtpd_tls_auth_only = yes
 +
smtpd_tls_loglevel = 1
 +
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
 +
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
 +
smtpd_use_tls=yes
 +
smtp_tls_note_starttls_offer = yes
 +
smtpd_tls_session_cache_timeout = 3600s
 +
tls_random_source = dev:/dev/urandom
 +
 
 
==Restart Postfix==
 
==Restart Postfix==
  
Line 125: Line 182:
 
==Cek SMTP AUTH Support==
 
==Cek SMTP AUTH Support==
  
 +
Lakukan
  
12.3. Check for SMTP AUTH support
+
telnet onnocenter.id 25
 
 
So, now that we've have enabled SASL authentication in the configuration we need to verify that Postfix serves us the new feature. We check from a remote host and telnet to the Postfix server.
 
 
 
S: 220 mail.example.com ESMTP Postfix
 
C: EHLO example.com
 
S: 250-mail.example.com
 
S: 250-PIPELINING
 
S: 250-SIZE 10240000
 
S: 250-VRFY
 
S: 250-ETRN
 
S: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
 
S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
 
S: 250-XVERP
 
S: 250 8BITMIME
 
C: quit
 
S: 221 Bye
 
 
 
Notice the two new lines?
 
 
 
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
 
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
 
 
 
These are the lines that Postfix issues when it offers the use of SMTP AUTH and we can see two things from looking at them:
 
12.3.1. Fallback feature
 
 
 
First let us remember the insecure fallback feature:
 
 
 
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI is the order of the mechanisms in which a Mail client would try to authenticate to. If SASL issued ANONYMOUS in between LOGIN and DIGEST-MD5 we'd be lost or rather an open relay to every spammer in the world who knew this feature...
 
12.3.2. Broken clients
 
 
 
Did you notice that there are two lines that only differ in an extra = in between AUTH and PLAIN. The AUTH=PLAIN statement is the one that broken clients need in order to recognize that they may use SMTP AUTH.
 
[Note] Note
 
 
 
If you don't see all the mechanisms as pointed out in this HOWTO it means that you didn't install or compile all the SASL mechanisms. Please make sure that you have at least the following as we are going to need them in the HOWTO: PLAIN LOGIN
 
12.4. Check if SMTP AUTH works
 
 
 
Before we start and configure a Mail client to relay mail using SMTP AUTH we do one more last check. If we pass this we know were done with server side SMTP AUTH configuration. In this step we will telnet to the server and pass our username and password just to see if we pass the authentication.
 
 
 
Since we use PLAIN as mechanism we will have to pass our credentials plaintext. But hold, the credentials must be Base64 encoded, when we issue them. This can easily be done on our server. The basic command looks like this:
 
 
 
[root@example.com]# printf 'username\0username\0password' | mmencode
 
 
 
If you rather use PERL it looks like this:
 
 
 
[root@example.com]# perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
 
  
[Note] Note
+
Harusnya keluar
  
Note that \0 appears twice in between the values? Make sure you don't forget them.
+
Connected to onnocenter.id.
 +
Escape character is '^]'.
 +
220 onnocenter.id ESMTP
 +
ehlo onnocenter.id
 +
250-onnocenter.id
 +
250-PIPELINING
 +
250-SIZE 10240000
 +
250-VRFY
 +
250-ETRN
 +
250-STARTTLS
 +
250-AUTH PLAIN LOGIN
 +
250-AUTH=PLAIN LOGIN
 +
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
  
In our HOWTO we need to replace username and password with test and testpass. When we enter our command we get this:
+
Buat password
  
[root@base readme]# printf 'test\0test\0testpass' | mmencode
+
printf 'username\0username\0password' | mmencode
dGVzdAB0ZXN0AHRlc3RwYXNz
 
  
So dGVzdAB0ZXN0AHRlc3RwYXNz is our Base64 encoded string that contains the username and password. Let's check out if this works. We start as usual and initiate the SMTP AUTH session by telling Postfix that we want to AUTH and also provide the mechanism PLAIN that we want to use in this test.
+
atau
  
S: 220 mail.example.com ESMTP Postfix (1.1.7)
+
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
C: EHLO example.com
 
S: 250-mail.example.com
 
S: 250-PIPELINING
 
S: 250-SIZE 10240000
 
S: 250-VRFY
 
S: 250-ETRN
 
S: 250-AUTH DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN
 
S: 250-AUTH=DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN
 
S: 250-XVERP
 
S: 250 8BITMIME
 
C: AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
 
S: 235 Authentication successful
 
C: QUIT
 
S: 221 Bye
 
  
 +
Lakukan seperti
  
 +
printf 'test\0test\0testpass' | mmencode
 +
dGVzdAB0ZXN0AHRlc3RwYXNz
  
 +
Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.
  
 +
Test authentication
  
 +
Connected to localhost.
 +
Escape character is '^]'.
 +
220 onnocenter.id ESMTP
 +
ehlo onnocenter.id
 +
250-onnocenter.id
 +
250-PIPELINING
 +
250-SIZE 10240000
 +
250-VRFY
 +
250-ETRN
 +
250-STARTTLS
 +
250-AUTH PLAIN LOGIN
 +
250-AUTH=PLAIN LOGIN
 +
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
 +
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
 +
235 2.7.0 Authentication successful
 +
quit
 +
221 2.0.0 Bye
  
 
==Referensi==
 
==Referensi==

Latest revision as of 06:18, 8 May 2015

Sumber: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html


Siapkan Dovecot

Edit agar dovecot siap digunakan sebagai auth server untuk postfix

vim /etc/dovecot/conf.d/10-master.conf

Pastikan

## The listener is added under the service auth section ##
service auth { 
	unix_listener /var/spool/postfix/private/auth {
		mode = 0660
        	user = postfix
        	group = postfix
  	} ##end listener
} ## end service auth

Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.

vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login

plain authetication mechanism untuk Postfix

restart Dovecot

service dovecot restart


Generate Certificate

Buat certificate untuk SSL

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr

akan keluar

Generating a 2048 bit RSA private key
......................+++
..................+++
writing new private key to 'onnocenter.id.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:DKI     
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id
Email Address []:onno@onnocenter.id 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:OnnoCenter

Preparing Postfix

Masukan parameter SASL ke config file

vim /etc/postfix/main.cf
#### SASL ####
## specify SASL type ##
smtpd_sasl_type = dovecot
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
smtpd_sasl_path = private/auth

## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_local_domain = $myhostname

## SASL default policy ##
smtpd_sasl_security_options = noanonymous

## for legacy application compatibility ##
broken_sasl_auth_clients = yes

## enable SMTP auth ##
smtpd_sasl_auth_enable = yes

## smtp checks ##
## these checks are based on first match, so sequence is important ##
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Ringkas-nya

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
... 
smtpd_recipient_restrictions = 
   permit_sasl_authenticated, 
   permit_mynetworks, 
   check_relay_domains


Masukan SSL/TLS parameter ke config file

vim /etc/postfix/main.cf
#### SSL/TLS parameters ####

## 'encrypt' will enforce SSL. Not recommended for live servers ##
smtpd_tls_security_level = may 
#smtpd_tls_security_level = encrypt 

smtpd_tls_received_header = yes 
smtpd_tls_auth_only = no 

## loglevel 3 or 4 can be used during troubleshooting ##
smtpd_tls_loglevel = 1 

## path to certificate and key file ##
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes 

## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes 

smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom


Ringkas-nya


smtpd_tls_security_level = encrypt 
smtpd_tls_received_header = yes 
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1 
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes 
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom

Restart Postfix

service postfix restart


Cek Relay

$ telnet mail.example.tst 25
ehlo  mail.example.tst
250- mail.example.tst
250-PIPELINING 
250-SIZE 10240000 
250-VRFY 
250-ETRN 
250-STARTTLS 
250-AUTH PLAIN LOGIN 
250-AUTH=PLAIN LOGIN 
250-ENHANCEDSTATUSCODES 
250-8BITMIME 
250 DSN 


Cek SMTP AUTH Support

Lakukan

telnet onnocenter.id 25

Harusnya keluar

Connected to onnocenter.id.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Buat password

printf 'username\0username\0password' | mmencode

atau

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'

Lakukan seperti

printf 'test\0test\0testpass' | mmencode
dGVzdAB0ZXN0AHRlc3RwYXNz

Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.

Test authentication

Connected to localhost.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

Referensi