Difference between revisions of "Postfix: Authentikasi SMTP untuk Client dengan DOVECOT"

From OnnoWiki
Jump to navigation Jump to search
(New page: Sumber: http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL Cek apakah postfix mendukung dovecot postconf -a Edit konfigurasi dovecot, conf.d/10-master.conf excerpt service auth { ...)
 
Line 6: Line 6:
 
  postconf -a
 
  postconf -a
  
Edit konfigurasi dovecot, conf.d/10-master.conf excerpt
+
==Edit konfigurasi dovecot==
 +
 
 +
  vi /etc/dovecot/conf.d/10-master.conf
 +
 
 +
Pastikan
 +
 
  
 
  service auth {
 
  service auth {
...
+
  ...
 
   unix_listener /var/spool/postfix/private/auth {
 
   unix_listener /var/spool/postfix/private/auth {
    mode = 0660
+
      mode = 0660
    # Assuming the default Postfix user and group
+
      user = postfix
    user = postfix
+
      group = postfix
    group = postfix      
+
   } ##end listener
   }
 
 
   ...
 
   ...
 
  }
 
  }
  
Edit Dovecot 10-auth.conf, pastikan
+
Edit
 +
 
 +
vi /etc/dovecot/conf.d/10-auth.conf
 +
 
 +
Pastikan
  
 
  auth_mechanisms = plain login
 
  auth_mechanisms = plain login
  
Edit Postfix main.cf
 
  
 +
Edit
 +
 +
vi /etc/dovecot/conf.d/10-ssl.conf
 +
 +
Pastikan
 +
 +
ssl = yes
 +
 +
 +
 +
==Edit Postfix==
 +
 +
Edit
 +
 +
vi /etc/postfix/main.cf
 +
 +
 +
Pastikan
 +
 +
# TLS parameters
 +
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 +
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 +
smtpd_use_tls=yes
 +
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 +
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 +
 +
smtpd_tls_auth_only = no
 +
smtpd_tls_loglevel = 1
 +
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
 +
smtp_tls_security_level = may
 +
smtpd_tls_security_level = may
 +
smtp_tls_note_starttls_offer = yes
 +
smtpd_tls_loglevel = 1
 +
smtpd_tls_received_header = yes
 +
 
  smtpd_sasl_type = dovecot
 
  smtpd_sasl_type = dovecot
 
  smtpd_sasl_path = private/auth
 
  smtpd_sasl_path = private/auth
 +
smtpd_sasl_local_domain =
 +
smtpd_sasl_security_options = noanonymous
 +
broken_sasl_auth_clients = yes
 
  smtpd_sasl_auth_enable = yes
 
  smtpd_sasl_auth_enable = yes
  smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+
 +
  smtpd_relay_restrictions = permit_mynetworks,
 +
        permit_sasl_authenticated,
 +
        reject_unauth_destination
  
Using SASL with Postfix submission port
 
  
When Dovecot is used as the authentication backend for Postfix it is good practice to use a dedicated submission port for the MUAs (TCP 587). Not only can you specify individual parameters in master.cf overriding the global ones but you will not run into internet mail rejection while the Dovecot Auth Mechanism is unavailable. In this example Postfix is configured to accept TLS encrypted sessions only, along with several other sanity checks:
+
Edit
  
    Verification of alias ownership via Login Maps
+
vi /etc/postfix/master.cf
    Domainname and recipient plausibility
 
  
Edit master.cf
+
Pastikan
  
  submission inet n - n - - smtpd
+
  submission inet n       -       -       -       -      smtpd
 +
  -o syslog_name=postfix/submission
 
   -o smtpd_tls_security_level=encrypt
 
   -o smtpd_tls_security_level=encrypt
 
   -o smtpd_sasl_auth_enable=yes
 
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
+
   -o smtpd_reject_unlisted_recipient=no
  -o smtpd_sasl_path=private/auth
+
-o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_sasl_security_options=noanonymous
+
-o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sasl_local_domain=$myhostname
+
-o smtpd_sender_restrictions=$mua_sender_restrictions
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+
#  -o smtpd_recipient_restrictions=
   -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
+
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_sender_restrictions=reject_sender_login_mismatch
+
   -o milter_macro_daemon_name=ORIGINATING
   -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
+
smtps    inet  n      -      -      -      -      smtpd
 +
  -o syslog_name=postfix/smtps
 +
  -o smtpd_tls_wrappermode=yes
 +
  -o smtpd_sasl_auth_enable=yes
 +
   -o smtpd_reject_unlisted_recipient=no
 +
#  -o smtpd_client_restrictions=$mua_client_restrictions
 +
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
 +
-o smtpd_sender_restrictions=$mua_sender_restrictions
 +
#  -o smtpd_recipient_restrictions=
 +
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 +
  -o milter_macro_daemon_name=ORIGINATING
 +
 
 +
==Pastikan semua mail berjalan==
 +
 
 +
Telnet, ketik
 +
 
 +
telnet localhost 25
 +
ehlo test
 +
 
 +
Akan keluar
 +
 
 +
250-onnocenter.or.id
 +
250-PIPELINING
 +
250-SIZE 10240000
 +
250-VRFY
 +
250-ETRN
 +
'''250-STARTTLS'''
 +
'''250-AUTH PLAIN LOGIN'''
 +
'''250-AUTH=PLAIN LOGIN'''
 +
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
 +
 
 +
 
 +
pastikan ada
 +
 
 +
* STARTTLS
 +
* AUTH
 +
 
 +
 
 +
 
 +
 
 +
Ketik
 +
 
 +
netstat -nl4
 +
 
 +
Active Internet connections (only servers)
 +
Proto Recv-Q Send-Q Local Address          Foreign Address        State     
 +
tcp        0      0 0.0.0.0:25              0.0.0.0:*              LISTEN   
 +
tcp        0      0 127.0.0.1:953          0.0.0.0:*              LISTEN   
 +
tcp        0      0 0.0.0.0:993            0.0.0.0:*              LISTEN   
 +
tcp        0      0 0.0.0.0:995            0.0.0.0:*              LISTEN   
 +
tcp        0      0 0.0.0.0:587            0.0.0.0:*              LISTEN   
 +
tcp        0      0 0.0.0.0:110            0.0.0.0:*              LISTEN   
 +
tcp        0      0 0.0.0.0:143            0.0.0.0:*              LISTEN   
 +
tcp        0      0 0.0.0.0:465            0.0.0.0:*              LISTEN   
 +
 
 +
 
 +
 
 +
 
 +
 
 +
==Setup di Mail Android==
 +
 
 +
Set SMTP
 +
 
 +
* login require
 +
* START/TLS
 +
* port 465
  
Dovecot authentication via TCP
 
  
If Postfix and Dovecot are running on separate servers, you can also authenticate via TCP. For Dovecot set up an inet_listener:
 
  
service auth {
 
  inet_listener {
 
    port = 12345
 
  }
 
}
 
  
And configure Postfix to use it:
 
  
smtpd_sasl_path = inet:dovecot.example.com:12345
 
smtpd_sasl_type = dovecot
 
  
  

Revision as of 08:33, 30 March 2016

Sumber: http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL


Cek apakah postfix mendukung dovecot

postconf -a

Edit konfigurasi dovecot

 vi /etc/dovecot/conf.d/10-master.conf

Pastikan


service auth {
  ...
  unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
  } ##end listener
  ...
}

Edit

vi /etc/dovecot/conf.d/10-auth.conf

Pastikan

auth_mechanisms = plain login


Edit

vi /etc/dovecot/conf.d/10-ssl.conf 

Pastikan

ssl = yes


Edit Postfix

Edit

vi /etc/postfix/main.cf


Pastikan

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes

smtpd_relay_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination


Edit

vi /etc/postfix/master.cf 

Pastikan

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Pastikan semua mail berjalan

Telnet, ketik

telnet localhost 25
ehlo test

Akan keluar

250-onnocenter.or.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


pastikan ada

  • STARTTLS
  • AUTH



Ketik

netstat -nl4
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN     



Setup di Mail Android

Set SMTP

  • login require
  • START/TLS
  • port 465





Referensi