Postfix: SMTP Authentication for Clients (en)
Revision as of 07:19, 4 January 2025 by Onnowpurbo (talk | contribs) (Created page with "==Prepare Dovecot== Edit to configure Dovecot as the authentication server for Postfix: vim /etc/dovecot/conf.d/10-master.conf Ensure the following: ## The listener is a...")
Prepare Dovecot
Edit to configure Dovecot as the authentication server for Postfix:
vim /etc/dovecot/conf.d/10-master.conf
Ensure the following:
## The listener is added under the service auth section ##
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
} ##end listener
} ## end service auth
The definition above will open the socket /var/spool/postfix/private/auth with permission 0660 for Postfix.
vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
Plain authentication mechanism for Postfix.
Restart Dovecot:
service dovecot restart
Generate Certificate
Create a certificate for SSL:
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr
You will see:
Generating a 2048 bit RSA private key ......................+++ ..................+++ writing new private key to 'onnocenter.id.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ID State or Province Name (full name) [Some-State]:DKI Locality Name (eg, city) []:Jakarta Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id Email Address []:onno@onnocenter.id Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:OnnoCenter
Preparing Postfix
Insert SASL parameters into the config file:
vim /etc/postfix/main.cf
#### SASL #### ## specify SASL type ## smtpd_sasl_type = dovecot ## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ## smtpd_sasl_path = private/auth ## postfix appends the domain name for SASL logins that do not have the domain part ## smtpd_sasl_local_domain = $myhostname ## SASL default policy ## smtpd_sasl_security_options = noanonymous ## for legacy application compatibility ## broken_sasl_auth_clients = yes ## enable SMTP auth ## smtpd_sasl_auth_enable = yes ## smtp checks ## ## these checks are based on first match, so sequence is important ## smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
Summarized as:
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes ... smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
Insert SSL/TLS parameters into the config file:
vim /etc/postfix/main.cf
#### SSL/TLS parameters #### ## 'encrypt' will enforce SSL. Not recommended for live servers ## smtpd_tls_security_level = may #smtpd_tls_security_level = encrypt smtpd_tls_received_header = yes smtpd_tls_auth_only = no ## loglevel 3 or 4 can be used during troubleshooting ## smtpd_tls_loglevel = 1 ## path to certificate and key file ## smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt smtpd_use_tls=yes ## server will announce STARTTLS ## smtp_tls_note_starttls_offer = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Summarized as:
smtpd_tls_security_level = encrypt smtpd_tls_received_header = yes smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt smtpd_use_tls=yes smtp_tls_note_starttls_offer = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Restart Postfix
service postfix restart
Check Relay
$ telnet mail.example.tst 25
ehlo mail.example.tst 250-mail.example.tst 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Check SMTP AUTH Support
Perform:
telnet onnocenter.id 25
You should see:
Connected to onnocenter.id. Escape character is '^]'. 220 onnocenter.id ESMTP ehlo onnocenter.id 250-onnocenter.id 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Generate password:
printf 'username\0username\0password' | mmencode
or
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
Proceed as:
printf 'test\0test\0testpass' | mmencode dGVzdAB0ZXN0AHRlc3RwYXNz
Then, dGVzdAB0ZXN0AHRlc3RwYXNz is the Base64 encoded string that contains username and password.
Test authentication:
Connected to localhost. Escape character is '^]'. 220 onnocenter.id ESMTP ehlo onnocenter.id 250-onnocenter.id 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz 235 2.7.0 Authentication successful quit 221 2.0.0 Bye
References
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
- http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html