[TriLUG] Setting up a secure mail server with Postfix (SMTP AUTH), Dovecot, Squirrelmail, etc
Jeremy Portzer
jeremyp at pobox.com
Mon Oct 20 18:12:59 EDT 2003
I recently set up a Red Hat Linux 9 mail server in all-secure mode; no
passwords are ever transmitted over in cleartext. This setup uses IMAP,
web mail, and SMTP AUTH to allow access from anywhere. So far it's been
working pretty well, once I finally figured out my postfix / SASL
problems.
I hope the attached notes are helpful in case anyone is interested in
doing the same, or comparing your configuration to mine.
===============
Setting up a Secure Mail server with Postfix, Dovecot, Squirrelmail,
etc., on Red Hat Linux 9
===============
This document contains notes on how I set up my secure mail server, running on
Red Hat Linux 9. It assumes intermediate system administration ability, and a
familiarity with Red Hat Linux tools and mail server principles. It does not
cover DNS or basic postfix configuration.
The technologies covered are:
o Dovecot for IMAP
o Postfix as MTA, including SMTP AUTH for secure relaying
o Squirrelmail for web mail (with Apache+PHP).
o SSL setup for all of the above for secure authentication
Please send questions or comments to jeremyp -at- pobox -dot- com.
===============
Overall Setup:
* Firewall adjusted for ports 25, 80, 993, and 465 incoming. (995 for POP3 would
be an optional addition for secure POP3)
* sendmail RPM removed entirely to use postfix instead. You may need to
install postfix first, then remove sendmail, to avoid dep problems.
* Postfix configured for basic mail server operation; follow another HOWTO for
this or see Jason Tower's mail server class notes
* I also configured procmail and SpamAssassin but don't detail that here.
===============
Dovecot IMAP:
* Downloaded SRC RPM from rawhide: dovecot-0.99.10-6.src.rpm
* Rebuilt with rpmbuild --rebuild; install binary RPM
* Adjusted /etc/dovecot.conf :
protocols = imaps imap
imap_listen = 127.0.0.1
imaps_listen = *
* This allows imap connections for localhost, required for Squirrelmail, but
all else goes through IMAPS only.
* Set up POP3 if desired; see comments in config file
===============
SSL Certificates for Dovecot and Postfix:
* cd to main directory: /usr/share/ssl/certs
* rm smtp.pem dovecot.pem [these are old versions with wrong info]
* Made new certificates with "make dovecot.pem" and "make smtp.pem"
* Used "mail.example.com" for my CN (Common Name) -- in order to avoid
errors, this same name should be used in client configuration
* The makefile prompts you for the info, and then puts both the secret key
and the certificate in that same file. That's fine for smtp.pem,
because I just pointed everything at the file in /etc/postfix/main.cf
* For dovecot, it was expecting a separate .pem file in the
/usr/share/ssl/private/ directory. I just copied dovecot.pem over and
removed the public key portion with a text editor). I believe that the private
key portion could be removed from the one in certs/ folder but I'm not sure.
* Made sure all .pem files are mode 0600.
===============
Testing SSL:
* Run at a prompt: openssl s_client -connect localhost:port
(port is of course 993 for imaps, 465 for smtps)
* Then you can "speak" direct SMTP or IMAP if it connects successfully.
(analogous to "telnet localhost 25" for SMTP, etc.)
* Check /var/log/maillog and /var/log/messages for error reports.
===============
Apache:
* Made sure 'httpd' and 'mod_ssl' packages were installed from updates tree.
* chkconfig httpd on; service httpd restart
* Followed instructions from RHL 9 manual to set up Apache test (self-signed)
certificate, with no passphrase:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-secureserver-generatingkey.html
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-secureserver-selfsigned.html
[see entire chapter for overview of SSL stuff]
* Be sure to give the CN [common name] that you will refer to the server by
from the web; www.example.com in my case.
* service httpd restart; verify with browser: https://www.example.com/
===============
Squirrelmail:
* Installed squirrelmail from RHL 9 updates tree.
* Changed $domain in /etc/squirrelmail/config.php to example.com
Otherwise return address doesn't appear correctly in mail sent from SM.
* Changed $default_folder_prefix to ''
Otherwise you end up with folders like ~user/mail/mail/ which is silly.
* Added this to /etc/httpd/conf.d/squirrelmail.conf :
<Location /webmail>
SSLRequireSSL
</Location>
(this means that users who go to http://www.example.com/webmail/ without
using https:/ will get denied. There are fancier ways to do this; I find
this method this is simple and just as effective.)
* Updated the upload_max_filesize parameter in /etc/php.ini . The default is
2MB which is pretty small for many file attachment users. If size is
exceeded, a nasty error message will result in Squirrelmail.
* service httpd restart
* Make sure users know they should update their "real name" in Squirrelmail's
"Options" area. I really wish it would pick this up automatically :/
===============
Postfix / SASL / SMTP AUTH:
* Postfix had already been configured for normal mail server operation. This
means that mail was being accepted for the domain on port 25, outgoing mail
works fine, server is not an open relay, etc.
* Goal is to allow relaying only when authenticated, and only allow
authentication while secured behind SSL
* This turned out to be quite annoying, but I finally figured it all out. The
Postfix RPMs in RHL 9 don't work right. I downloaded postfix-2.0.11-5.src.rpm
from rawhide and rebuilt with "rpmbuild --rebuild" ; this worked fine
* Much more information on this topic here; don't be fooled by the strange
URL, this is an excellent HOWTO:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=94312
===============
My Postfix config changes, besides mail server setup :
* updated master.cf to listen on port 465 for SSL with these lines:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
* created /usr/lib/sasl2/smtpd.conf with the following contents:
pwcheck_method: saslauthd
* made sure that /usr/lib/sasl/smtpd.conf did not exist (can cause conflicts)
* created /etc/sysconfig/saslauthd with these contents:
MECH=pam
* service saslauthd start
* created /etc/pam.d/smtp with these contents (this may already exist)
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
* added these lines to /etc/postfix/main.cf to turn everything on :
#Basic SASL Auth config stuff
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
#Enable relaying if authenticated
smtpd_recipient_restrictions =
permit_tls_clientcerts,permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
#Allow STARTTLS on port 25
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
#Location of SSL certs
smtpd_tls_key_file = /usr/share/ssl/certs/smtp.pem
smtpd_tls_cert_file = /usr/share/ssl/certs/smtp.pem
* service postfix restart; check /var/log/maillog and /var/log/messages
* test using openssl as mentioned above, or with a real mail client
* postfix can be put in debug mode by adding "-vv" as options in master.cf
(for smtp and/or smtps lines)
* saslauthd error messages can be viewed by adding "auth.*" to the
/var/log/secure section of /etc/syslog.conf ; restart syslog after this change
===============
Final Notes:
* Be sure that the following services have been enabled with chkconfig:
- postfix
- dovecot
- httpd
- saslauthd
* Open relay check: http://www.abuse.net/relay.html [don't be a spammer!]
* Obviously much of the above configuration will be different depending on
what you want, but I hope the above is useful!
Jeremy Portzer, RHCE jeremyp -at- pobox -dot- com
Last updated: Monday, October 20, 2003
--
/---------------------------------------------------------------------\
| Jeremy Portzer jeremyp at pobox.com trilug.org/~jeremy |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F E135 6F9F F7BC CC1A 7B92 |
\---------------------------------------------------------------------/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20031020/7eeb239b/attachment.pgp>
More information about the TriLUG
mailing list