Difference between revisions of "Postfix: Authentikasi SMTP untuk Client"

From OnnoWiki
Jump to navigation Jump to search
Line 30: Line 30:
  
 
  service dovecot restart
 
  service dovecot restart
 +
 +
 +
 +
==Generate Certificate==
 +
 +
Buat certificate untuk SSL
 +
 +
mkdir /etc/postfix/ssl
 +
cd /etc/postfix/ssl/
 +
openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr
 +
 +
akan keluar
 +
 +
Generating a 2048 bit RSA private key
 +
......................+++
 +
..................+++
 +
writing new private key to 'onnocenter.id.key'
 +
-----
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [AU]:ID
 +
State or Province Name (full name) [Some-State]:DKI   
 +
Locality Name (eg, city) []:Jakarta
 +
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
 +
Organizational Unit Name (eg, section) []:IT
 +
Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id
 +
Email Address []:onno@onnocenter.id
 +
 +
Please enter the following 'extra' attributes
 +
to be sent with your certificate request
 +
A challenge password []:password
 +
An optional company name []:OnnoCenter
 +
 +
 +
Open postfix smtp configuration file and append following directive:
 +
 +
smtpd_use_tls = yes
 +
smtpd_tls_auth_only = yes
 +
smtpd_tls_key_file = /etc/postfix/ssl/smtp.theos.in.key
 +
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.theos.in.crt
 +
smtpd_tls_loglevel = 1
 +
 +
smtpd_tls_received_header = yes
 +
smtpd_tls_session_cache_timeout = 3600s
 +
tls_random_source = dev:/dev/urandom
 +
 +
  
 
==Preparing Postfix==
 
==Preparing Postfix==
Line 45: Line 97:
 
   
 
   
 
  ## postfix appends the domain name for SASL logins that do not have the domain part ##
 
  ## postfix appends the domain name for SASL logins that do not have the domain part ##
  smtpd_sasl_local_domain = example.tst
+
  smtpd_sasl_local_domain = $myhostname
 
   
 
   
 
  ## SASL default policy ##
 
  ## SASL default policy ##
Line 60: Line 112:
 
  smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 
  smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
  
 +
Atau ringkas-nya
  
 +
smtpd_sasl_type = dovecot
 +
smtpd_sasl_path = private/auth
 
  smtpd_sasl_auth_enable = yes
 
  smtpd_sasl_auth_enable = yes
 
  smtpd_sasl_security_options = noanonymous
 
  smtpd_sasl_security_options = noanonymous
Line 90: Line 145:
 
   
 
   
 
  ## path to certificate and key file ##
 
  ## path to certificate and key file ##
  smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem
+
  smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
  smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem
+
  smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
 
  smtpd_use_tls=yes  
 
  smtpd_use_tls=yes  
 
   
 
   
Line 98: Line 153:
 
   
 
   
 
  smtpd_tls_session_cache_timeout = 3600s  
 
  smtpd_tls_session_cache_timeout = 3600s  
 +
tls_random_source = dev:/dev/urandom
 +
 
   
 
   
 
==Restart Postfix==
 
==Restart Postfix==

Revision as of 06:06, 8 May 2015

Sumber: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html


Siapkan Dovecot

Edit agar dovecot siap digunakan sebagai auth server untuk postfix

vim /etc/dovecot/conf.d/10-master.conf

Pastikan

## The listener is added under the service auth section ##
service auth { 
	unix_listener /var/spool/postfix/private/auth {
		mode = 0660
        	user = postfix
        	group = postfix
  	} ##end listener
} ## end service auth

Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.

vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login

plain authetication mechanism untuk Postfix

restart Dovecot

service dovecot restart


Generate Certificate

Buat certificate untuk SSL

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr

akan keluar

Generating a 2048 bit RSA private key
......................+++
..................+++
writing new private key to 'onnocenter.id.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:DKI     
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id
Email Address []:onno@onnocenter.id 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:OnnoCenter

Open postfix smtp configuration file and append following directive:

smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/smtp.theos.in.key smtpd_tls_cert_file = /etc/postfix/ssl/smtp.theos.in.crt smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom


Preparing Postfix

Masukan parameter SASL ke config file

vim /etc/postfix/main.cf
#### SASL ####
## specify SASL type ##
smtpd_sasl_type = dovecot
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
smtpd_sasl_path = private/auth

## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_local_domain = $myhostname

## SASL default policy ##
smtpd_sasl_security_options = noanonymous

## for legacy application compatibility ##
broken_sasl_auth_clients = yes

## enable SMTP auth ##
smtpd_sasl_auth_enable = yes

## smtp checks ##
## these checks are based on first match, so sequence is important ##
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Atau ringkas-nya

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
... 
smtpd_recipient_restrictions = 
   permit_sasl_authenticated, 
   permit_mynetworks, 
   check_relay_domains


Masukan SSL/TLS parameter ke config file

vim /etc/postfix/main.cf
#### SSL/TLS parameters ####

## 'encrypt' will enforce SSL. Not recommended for live servers ##
smtpd_tls_security_level = may 
#smtpd_tls_security_level = encrypt 

smtpd_tls_received_header = yes 
smtpd_tls_auth_only = no 

## loglevel 3 or 4 can be used during troubleshooting ##
smtpd_tls_loglevel = 1 

## path to certificate and key file ##
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes 

## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes 

smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom


Restart Postfix

service postfix restart


Cek Relay

$ telnet mail.example.tst 25
ehlo  mail.example.tst
250- mail.example.tst
250-PIPELINING 
250-SIZE 10240000 
250-VRFY 
250-ETRN 
250-STARTTLS 
250-AUTH PLAIN LOGIN 
250-AUTH=PLAIN LOGIN 
250-ENHANCEDSTATUSCODES 
250-8BITMIME 
250 DSN 


Cek SMTP AUTH Support

Lakukan

telnet onnocenter.id 25

Harusnya keluar

Connected to onnocenter.id.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Buat password

printf 'username\0username\0password' | mmencode

atau

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'

Lakukan seperti

printf 'test\0test\0testpass' | mmencode
dGVzdAB0ZXN0AHRlc3RwYXNz

Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.

Test authentication

Connected to localhost.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

Referensi