JP Vossen on 22 Mar 2009 13:17:19 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Need help with Postfix config [auth/encrypted STMP = solved]

JP Vossen wrote:
> My Covad/Speakeasy went down Monday and isn't back yet, so I've moved my 
> server to a colo, but I'm a little stuck getting some parts working. 
> Basically, since it was on a LAN DMZ before, I need to lock it down a bit.
> Port 25 was always wide open to the world, so I have Postfix locked down 
> pretty well for relaying & spam.  Which is the problem.  Now my clients 
> can't use that server to send outgoing (which I want to do).
> I have worked around the problem for now (since you are reading this) by 
> adding my FiOS IPA to my Postfix 'mynetworks' in /etc/postfix/, 
> but that's not an ideal solution for various reasons.  Also, I got 
> IMAP/SSL working on 993, but have nothing for SMTP yet.  What I *think* 
> I want to do is leave 25/TCP alone (for incoming mail from Internet 
> servers) and run SMTP/SSL on 465/TCP, and authenticate users on that 
> port via PAM for outgoing mail.
> Can anyone a) suggest something better or b) provide Postfix config clues?
> BTW I have enough points in CACert to get my SSL certs from there, which 
> I did for the IMAP/SSL and can do for the SMTP/SSL as well.

First, thanks to Malcolm Harwood for some pointers a while ago.

I finally got around to looking at this, and encrypted SMTP turned out 
to be a *lot* easier than it looked.  You wouldn't know that from 
reading Google, but most of the existing HOWTOs are getting very old.

Encrypted IMAP was a tedious pain due to the complexities of SSL/TLS.  I 
was able to re-use my CACert IMAP certificate for SMTP also, which 
helped a bit.  I will freely admit that SSL/TLS/Whatever else 
certificate and management of same confuses the ^&(@# out of me, so 
there may well be a better way than what I did.

As far as I can tell from the before and after Wireshark captures, this 
works to encrypt both outgoing (SMTP) and incoming (IMAP) mail between 
my Thunderbird client and my mail server.  It does NOT force 
authentication or encryption on SMTP, so regular mail still works (and 
your client can leak if not configured right).  But relaying should not 
work unless authenticated and authentication should not work unless 
encrypted.  Since it still uses port 25 it doesn't get you around ISP 
issues like using 587 (or 465) would.  That's not an issue for me so I 
kept it simple.

One unexpected issue was the extent of TLS debugging cruft that started 
showing up in my logs (as always, thank you 'logcheck').  Turns out 
smtpd_tls_loglevel should be set to 1 or 0, not 3 as in the examples I 
was using (see  Of course 
I'd already written the regexps needed to filter it out of logcheck 
before I noticed that...  Sigh.

This is what I did...

OS: Debian Lenny
Goal: as above, except I ended up still using port 25 instead of adding 
SMTP/SSL on 465/TCP.

Encrypted IMAP
(Done 2008-12-17,18; so I may have forgotten something)
(Using as the certificate authority)

# Adapted from
* aptitude install ca-certificates
* openssl req -new
     # Answer questions, then type a temporary password 2 times, enter 
SERVER as "your" name and your email address
* Paste CSR into CACert Server certificates box, and get a PEM back
* openssl rsa -in privkey.pem -out
     # Enter temp password
* vi
     # Paste in PEM at bottom
* openssl gendh >>
* openssl verify
* rm -f privkey.pem
* cp /etc/courier/imapd.pem
* /etc/init.d/courier-imap-ssl restart
* Turn off non-SSL IMAP
	* vi /etc/courier/imapd
	* /etc/init.d/courier-imap restart

Encrypted SMTP
(Using as the certificate authority)

# Adapted from _Linux Cookbook_, pages 374-377
# Already there: aptitude install libsasl2-2 libsasl2-modules
* aptitude install sasl2-bin
* vi /etc/default/saslauthd
* /etc/init.d/saslauthd restart
* vi /etc/postfix/
     # sasl/auth stuff (2009-03-21)
     smtpd_sasl2_auth_enable = yes
     smtpd_sasl_security_options = noanonymous
     broken_sasl_auth_clients = yes
     #smtpd_sasl_local_domain = $mydomain
     # TSL/auth stuff (2009-03-21)
     #smtp_use_tls = yes
     smtpd_use_tls = yes
     smtpd_tls_auth_only = yes
     #smtp_tls_note_starttls_offer = yes
     #smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
     smtpd_tls_key_file = /etc/courier/imapd.pem
     #smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
     smtpd_tls_cert_file = /etc/courier/imapd.pem
     #smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
     smtpd_tls_CAfile = /etc/ssl/certs/
     smtpd_tls_loglevel = 1
     smtpd_tls_received_header = yes
     smtpd_tls_session_cache_timeout = 3600s
     tls_random_source = dev:/dev/urandom
     smtpd_recipient_restrictions =
* postfix reload
* Configure the clients

Logcheck (example, not needed)
**NOT** needed if you set smtpd_tls_loglevel to 1 or 0 as you should.

* Update Logcheck: vi /etc/logcheck/ignore.d.server/JP_ignore
     # SMTP/TLS (2009-03-21)
     ^\w{3} [ :0-9]{11} \w+ postfix/smtpd\[[0-9]+\]: SSL_accept:
     ^\w{3} [ :0-9]{11} \w+ postfix/smtpd\[[0-9]+\]: write to
     ^\w{3} [ :0-9]{11} \w+ postfix/smtpd\[[0-9]+\]: read from
     ^\w{3} [ :0-9]{11} \w+ postfix/smtpd\[[0-9]+\]: [a-f0-9]{4} - 
     ^\w{3} [ :0-9]{11} \w+ postfix/smtpd\[[0-9]+\]: [a-f0-9]{4} [a-f0-9 
     ^\w{3} [ :0-9]{11} \w+ postfix/smtpd\[[0-9]+\]: .*: TLS cipher list

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --