Difference between revisions of "Postfix: Authentikasi SMTP untuk Client"

From OnnoWiki
Jump to navigation Jump to search
Line 125: Line 125:
 
==Cek SMTP AUTH Support==
 
==Cek SMTP AUTH Support==
  
 +
Lakukan
  
12.3. Check for SMTP AUTH support
+
telnet onnocenter.id 25
  
So, now that we've have enabled SASL authentication in the configuration we need to verify that Postfix serves us the new feature. We check from a remote host and telnet to the Postfix server.
+
Harusnya keluar
  
S: 220 mail.example.com ESMTP Postfix
+
Connected to onnocenter.id.
C: EHLO example.com
+
Escape character is '^]'.
S: 250-mail.example.com
+
220 onnocenter.id ESMTP
S: 250-PIPELINING
+
ehlo onnocenter.id
S: 250-SIZE 10240000
+
250-onnocenter.id
S: 250-VRFY
+
250-PIPELINING
S: 250-ETRN
+
250-SIZE 10240000
S: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
+
250-VRFY
S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
+
250-ETRN
S: 250-XVERP
+
250-STARTTLS
S: 250 8BITMIME
+
250-AUTH PLAIN LOGIN
C: quit
+
250-AUTH=PLAIN LOGIN
S: 221 Bye
+
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
  
Notice the two new lines?
+
Buat password
  
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
+
printf 'username\0username\0password' | mmencode
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
 
  
These are the lines that Postfix issues when it offers the use of SMTP AUTH and we can see two things from looking at them:
+
atau
12.3.1. Fallback feature
 
  
First let us remember the insecure fallback feature:
+
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
 
 
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI is the order of the mechanisms in which a Mail client would try to authenticate to. If SASL issued ANONYMOUS in between LOGIN and DIGEST-MD5 we'd be lost or rather an open relay to every spammer in the world who knew this feature...
 
12.3.2. Broken clients
 
 
 
Did you notice that there are two lines that only differ in an extra = in between AUTH and PLAIN. The AUTH=PLAIN statement is the one that broken clients need in order to recognize that they may use SMTP AUTH.
 
[Note] Note
 
 
 
If you don't see all the mechanisms as pointed out in this HOWTO it means that you didn't install or compile all the SASL mechanisms. Please make sure that you have at least the following as we are going to need them in the HOWTO: PLAIN LOGIN
 
12.4. Check if SMTP AUTH works
 
 
 
Before we start and configure a Mail client to relay mail using SMTP AUTH we do one more last check. If we pass this we know were done with server side SMTP AUTH configuration. In this step we will telnet to the server and pass our username and password just to see if we pass the authentication.
 
 
 
Since we use PLAIN as mechanism we will have to pass our credentials plaintext. But hold, the credentials must be Base64 encoded, when we issue them. This can easily be done on our server. The basic command looks like this:
 
 
 
[root@example.com]# printf 'username\0username\0password' | mmencode
 
 
 
If you rather use PERL it looks like this:
 
 
 
[root@example.com]# perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
 
 
 
[Note] Note
 
 
 
Note that \0 appears twice in between the values? Make sure you don't forget them.
 
 
 
In our HOWTO we need to replace username and password with test and testpass. When we enter our command we get this:
 
 
 
[root@base readme]# printf 'test\0test\0testpass' | mmencode
 
dGVzdAB0ZXN0AHRlc3RwYXNz
 
 
 
So dGVzdAB0ZXN0AHRlc3RwYXNz is our Base64 encoded string that contains the username and password. Let's check out if this works. We start as usual and initiate the SMTP AUTH session by telling Postfix that we want to AUTH and also provide the mechanism PLAIN that we want to use in this test.
 
 
 
S: 220 mail.example.com ESMTP Postfix (1.1.7)
 
C: EHLO example.com
 
S: 250-mail.example.com
 
S: 250-PIPELINING
 
S: 250-SIZE 10240000
 
S: 250-VRFY
 
S: 250-ETRN
 
S: 250-AUTH DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN
 
S: 250-AUTH=DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN
 
S: 250-XVERP
 
S: 250 8BITMIME
 
C: AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
 
S: 235 Authentication successful
 
C: QUIT
 
S: 221 Bye
 
  
 +
Lakukan seperti
  
 +
printf 'test\0test\0testpass' | mmencode
 +
dGVzdAB0ZXN0AHRlc3RwYXNz
  
 +
Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.
  
 +
Test authentication
  
 +
Connected to localhost.
 +
Escape character is '^]'.
 +
220 onnocenter.id ESMTP
 +
ehlo onnocenter.id
 +
250-onnocenter.id
 +
250-PIPELINING
 +
250-SIZE 10240000
 +
250-VRFY
 +
250-ETRN
 +
250-STARTTLS
 +
250-AUTH PLAIN LOGIN
 +
250-AUTH=PLAIN LOGIN
 +
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
 +
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
 +
235 2.7.0 Authentication successful
 +
quit
 +
221 2.0.0 Bye
  
 
==Referensi==
 
==Referensi==

Revision as of 06:01, 8 May 2015

Sumber: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html


Siapkan Dovecot

Edit agar dovecot siap digunakan sebagai auth server untuk postfix

vim /etc/dovecot/conf.d/10-master.conf

Pastikan

## The listener is added under the service auth section ##
service auth { 
	unix_listener /var/spool/postfix/private/auth {
		mode = 0660
        	user = postfix
        	group = postfix
  	} ##end listener
} ## end service auth

Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.

vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login

plain authetication mechanism untuk Postfix

restart Dovecot

service dovecot restart

Preparing Postfix

Masukan parameter SASL ke config file

vim /etc/postfix/main.cf
#### SASL ####
## specify SASL type ##
smtpd_sasl_type = dovecot
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
smtpd_sasl_path = private/auth

## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_local_domain = example.tst

## SASL default policy ##
smtpd_sasl_security_options = noanonymous

## for legacy application compatibility ##
broken_sasl_auth_clients = yes

## enable SMTP auth ##
smtpd_sasl_auth_enable = yes

## smtp checks ##
## these checks are based on first match, so sequence is important ##
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination


smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
... 
smtpd_recipient_restrictions = 
   permit_sasl_authenticated, 
   permit_mynetworks, 
   check_relay_domains


Masukan SSL/TLS parameter ke config file

vim /etc/postfix/main.cf
#### SSL/TLS parameters ####

## 'encrypt' will enforce SSL. Not recommended for live servers ##
smtpd_tls_security_level = may 
#smtpd_tls_security_level = encrypt 

smtpd_tls_received_header = yes 
smtpd_tls_auth_only = no 

## loglevel 3 or 4 can be used during troubleshooting ##
smtpd_tls_loglevel = 1 

## path to certificate and key file ##
smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem 
smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem 
smtpd_use_tls=yes 

## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes 

smtpd_tls_session_cache_timeout = 3600s 

Restart Postfix

service postfix restart


Cek Relay

$ telnet mail.example.tst 25
ehlo  mail.example.tst
250- mail.example.tst
250-PIPELINING 
250-SIZE 10240000 
250-VRFY 
250-ETRN 
250-STARTTLS 
250-AUTH PLAIN LOGIN 
250-AUTH=PLAIN LOGIN 
250-ENHANCEDSTATUSCODES 
250-8BITMIME 
250 DSN 


Cek SMTP AUTH Support

Lakukan

telnet onnocenter.id 25

Harusnya keluar

Connected to onnocenter.id.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Buat password

printf 'username\0username\0password' | mmencode

atau

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'

Lakukan seperti

printf 'test\0test\0testpass' | mmencode
dGVzdAB0ZXN0AHRlc3RwYXNz

Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.

Test authentication

Connected to localhost.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

Referensi