Difference between revisions of "Postfix: Authentikasi SMTP untuk Client"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(7 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
+ | ==Siapkan Dovecot== | ||
− | + | Edit agar dovecot siap digunakan sebagai auth server untuk postfix | |
− | |||
− | + | vim /etc/dovecot/conf.d/10-master.conf | |
− | + | Pastikan | |
− | + | ## The listener is added under the service auth section ## | |
+ | service auth { | ||
+ | unix_listener /var/spool/postfix/private/auth { | ||
+ | mode = 0660 | ||
+ | user = postfix | ||
+ | group = postfix | ||
+ | } ##end listener | ||
+ | } ## end service auth | ||
− | + | Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix. | |
− | |||
− | + | vim /etc/dovecot/conf.d/10-auth.conf | |
− | |||
− | + | auth_mechanisms = plain login | |
− | + | plain authetication mechanism untuk Postfix | |
− | + | restart Dovecot | |
− | + | service dovecot restart | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ==Generate Certificate== | |
− | + | Buat certificate untuk SSL | |
− | + | mkdir /etc/postfix/ssl | |
− | + | cd /etc/postfix/ssl/ | |
+ | openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr | ||
− | + | akan keluar | |
− | + | Generating a 2048 bit RSA private key | |
− | + | ......................+++ | |
+ | ..................+++ | ||
+ | writing new private key to 'onnocenter.id.key' | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter '.', the field will be left blank. | ||
+ | ----- | ||
+ | Country Name (2 letter code) [AU]:ID | ||
+ | State or Province Name (full name) [Some-State]:DKI | ||
+ | Locality Name (eg, city) []:Jakarta | ||
+ | Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter | ||
+ | Organizational Unit Name (eg, section) []:IT | ||
+ | Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id | ||
+ | Email Address []:onno@onnocenter.id | ||
+ | |||
+ | Please enter the following 'extra' attributes | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []:password | ||
+ | An optional company name []:OnnoCenter | ||
− | + | ==Preparing Postfix== | |
− | |||
− | |||
− | + | Masukan parameter SASL ke config file | |
− | |||
− | + | vim /etc/postfix/main.cf | |
− | |||
− | ## SASL | + | #### SASL #### |
− | + | ## specify SASL type ## | |
+ | smtpd_sasl_type = dovecot | ||
− | ## for legacy application compatibility ## | + | ## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ## |
− | broken_sasl_auth_clients = yes | + | smtpd_sasl_path = private/auth |
+ | |||
+ | ## postfix appends the domain name for SASL logins that do not have the domain part ## | ||
+ | smtpd_sasl_local_domain = $myhostname | ||
+ | |||
+ | ## SASL default policy ## | ||
+ | smtpd_sasl_security_options = noanonymous | ||
+ | |||
+ | ## for legacy application compatibility ## | ||
+ | broken_sasl_auth_clients = yes | ||
+ | |||
+ | ## enable SMTP auth ## | ||
+ | smtpd_sasl_auth_enable = yes | ||
+ | |||
+ | ## smtp checks ## | ||
+ | ## these checks are based on first match, so sequence is important ## | ||
+ | smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination | ||
− | + | Ringkas-nya | |
− | |||
− | + | smtpd_sasl_type = dovecot | |
− | + | smtpd_sasl_path = private/auth | |
− | smtpd_recipient_restrictions = permit_mynetworks, | + | smtpd_sasl_auth_enable = yes |
+ | smtpd_sasl_security_options = noanonymous | ||
+ | smtpd_sasl_local_domain = $myhostname | ||
+ | broken_sasl_auth_clients = yes | ||
+ | ... | ||
+ | smtpd_recipient_restrictions = | ||
+ | permit_sasl_authenticated, | ||
+ | permit_mynetworks, | ||
+ | check_relay_domains | ||
− | |||
− | |||
− | |||
− | + | Masukan SSL/TLS parameter ke config file | |
− | + | vim /etc/postfix/main.cf | |
− | |||
− | |||
− | smtpd_tls_received_header = yes | + | #### SSL/TLS parameters #### |
− | smtpd_tls_auth_only = no | + | |
+ | ## 'encrypt' will enforce SSL. Not recommended for live servers ## | ||
+ | smtpd_tls_security_level = may | ||
+ | #smtpd_tls_security_level = encrypt | ||
+ | |||
+ | smtpd_tls_received_header = yes | ||
+ | smtpd_tls_auth_only = no | ||
+ | |||
+ | ## loglevel 3 or 4 can be used during troubleshooting ## | ||
+ | smtpd_tls_loglevel = 1 | ||
+ | |||
+ | ## path to certificate and key file ## | ||
+ | smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key | ||
+ | smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt | ||
+ | smtpd_use_tls=yes | ||
+ | |||
+ | ## server will announce STARTTLS ## | ||
+ | smtp_tls_note_starttls_offer = yes | ||
+ | |||
+ | smtpd_tls_session_cache_timeout = 3600s | ||
+ | tls_random_source = dev:/dev/urandom | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Ringkas-nya | |
− | |||
− | |||
− | + | smtpd_tls_security_level = encrypt | |
− | + | smtpd_tls_received_header = yes | |
+ | smtpd_tls_auth_only = yes | ||
+ | smtpd_tls_loglevel = 1 | ||
+ | smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key | ||
+ | smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt | ||
+ | smtpd_use_tls=yes | ||
+ | smtp_tls_note_starttls_offer = yes | ||
+ | smtpd_tls_session_cache_timeout = 3600s | ||
+ | tls_random_source = dev:/dev/urandom | ||
− | + | ==Restart Postfix== | |
− | |||
− | + | service postfix restart | |
− | |||
− | + | ==Cek Relay== | |
− | |||
− | + | $ telnet mail.example.tst 25 | |
− | |||
− | + | ehlo mail.example.tst | |
+ | 250- mail.example.tst | ||
+ | 250-PIPELINING | ||
+ | 250-SIZE 10240000 | ||
+ | 250-VRFY | ||
+ | 250-ETRN | ||
+ | 250-STARTTLS | ||
+ | 250-AUTH PLAIN LOGIN | ||
+ | 250-AUTH=PLAIN LOGIN | ||
+ | 250-ENHANCEDSTATUSCODES | ||
+ | 250-8BITMIME | ||
+ | 250 DSN | ||
− | |||
− | |||
− | |||
− | |||
− | + | ==Cek SMTP AUTH Support== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Lakukan | |
− | + | telnet onnocenter.id 25 | |
− | |||
− | + | Harusnya keluar | |
− | |||
− | |||
− | |||
− | |||
− | + | Connected to onnocenter.id. | |
− | + | Escape character is '^]'. | |
− | + | 220 onnocenter.id ESMTP | |
− | + | ehlo onnocenter.id | |
− | + | 250-onnocenter.id | |
− | + | 250-PIPELINING | |
− | + | 250-SIZE 10240000 | |
− | + | 250-VRFY | |
− | + | 250-ETRN | |
− | + | 250-STARTTLS | |
− | + | 250-AUTH PLAIN LOGIN | |
− | + | 250-AUTH=PLAIN LOGIN | |
− | + | 250-ENHANCEDSTATUSCODES | |
− | + | 250-8BITMIME | |
− | + | 250 DSN | |
+ | Buat password | ||
+ | printf 'username\0username\0password' | mmencode | ||
+ | atau | ||
+ | perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");' | ||
+ | Lakukan seperti | ||
+ | printf 'test\0test\0testpass' | mmencode | ||
+ | dGVzdAB0ZXN0AHRlc3RwYXNz | ||
+ | Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password. | ||
+ | Test authentication | ||
+ | Connected to localhost. | ||
+ | Escape character is '^]'. | ||
+ | 220 onnocenter.id ESMTP | ||
+ | ehlo onnocenter.id | ||
+ | 250-onnocenter.id | ||
+ | 250-PIPELINING | ||
+ | 250-SIZE 10240000 | ||
+ | 250-VRFY | ||
+ | 250-ETRN | ||
+ | 250-STARTTLS | ||
+ | 250-AUTH PLAIN LOGIN | ||
+ | 250-AUTH=PLAIN LOGIN | ||
+ | 250-ENHANCEDSTATUSCODES | ||
+ | 250-8BITMIME | ||
+ | 250 DSN | ||
+ | AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz | ||
+ | 235 2.7.0 Authentication successful | ||
+ | quit | ||
+ | 221 2.0.0 Bye | ||
==Referensi== | ==Referensi== | ||
Line 178: | Line 245: | ||
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html | * http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html | ||
* http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html | * http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html | ||
+ | * http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html | ||
+ | * http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html |
Latest revision as of 06:18, 8 May 2015
Sumber: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
Siapkan Dovecot
Edit agar dovecot siap digunakan sebagai auth server untuk postfix
vim /etc/dovecot/conf.d/10-master.conf
Pastikan
## The listener is added under the service auth section ## service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } ##end listener } ## end service auth
Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.
vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
plain authetication mechanism untuk Postfix
restart Dovecot
service dovecot restart
Generate Certificate
Buat certificate untuk SSL
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr
akan keluar
Generating a 2048 bit RSA private key ......................+++ ..................+++ writing new private key to 'onnocenter.id.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ID State or Province Name (full name) [Some-State]:DKI Locality Name (eg, city) []:Jakarta Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id Email Address []:onno@onnocenter.id Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:OnnoCenter
Preparing Postfix
Masukan parameter SASL ke config file
vim /etc/postfix/main.cf
#### SASL #### ## specify SASL type ## smtpd_sasl_type = dovecot
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ## smtpd_sasl_path = private/auth ## postfix appends the domain name for SASL logins that do not have the domain part ## smtpd_sasl_local_domain = $myhostname ## SASL default policy ## smtpd_sasl_security_options = noanonymous ## for legacy application compatibility ## broken_sasl_auth_clients = yes ## enable SMTP auth ## smtpd_sasl_auth_enable = yes ## smtp checks ## ## these checks are based on first match, so sequence is important ## smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
Ringkas-nya
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes ... smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
Masukan SSL/TLS parameter ke config file
vim /etc/postfix/main.cf
#### SSL/TLS parameters #### ## 'encrypt' will enforce SSL. Not recommended for live servers ## smtpd_tls_security_level = may #smtpd_tls_security_level = encrypt smtpd_tls_received_header = yes smtpd_tls_auth_only = no ## loglevel 3 or 4 can be used during troubleshooting ## smtpd_tls_loglevel = 1 ## path to certificate and key file ## smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt smtpd_use_tls=yes ## server will announce STARTTLS ## smtp_tls_note_starttls_offer = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Ringkas-nya
smtpd_tls_security_level = encrypt smtpd_tls_received_header = yes smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt smtpd_use_tls=yes smtp_tls_note_starttls_offer = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Restart Postfix
service postfix restart
Cek Relay
$ telnet mail.example.tst 25
ehlo mail.example.tst 250- mail.example.tst 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Cek SMTP AUTH Support
Lakukan
telnet onnocenter.id 25
Harusnya keluar
Connected to onnocenter.id. Escape character is '^]'. 220 onnocenter.id ESMTP ehlo onnocenter.id 250-onnocenter.id 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Buat password
printf 'username\0username\0password' | mmencode
atau
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
Lakukan seperti
printf 'test\0test\0testpass' | mmencode dGVzdAB0ZXN0AHRlc3RwYXNz
Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.
Test authentication
Connected to localhost. Escape character is '^]'. 220 onnocenter.id ESMTP ehlo onnocenter.id 250-onnocenter.id 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz 235 2.7.0 Authentication successful quit 221 2.0.0 Bye
Referensi
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
- http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html