Configuring Postfix to use TLS and SMTP AUTH

I finally sat down to set up Postfix to allow people outside my firewall to send mail using my SMTP server. It was a mildly annoying task, but not too troublesome. Here are my notes on how it worked, in case anyone needs a crib sheet.

First of all, my mail server runs Fedora Core 2, and I’m using the default postfix and cyrus-sasl packages that come with FC2.

My motivation for using SMTP AUTH (for authentication) and TLS (for secrecy) was straightforward. I didn’t want to configure an open relay, so some kind of authentication was required. I wanted to use PAM to maintain a single list of user names and passwords for my network. Unfortunately, it’s impossible to configure saslauthd, the daemon that is easiest to hook up to Postfix to manage password authentication, to use anything other than plaintext passwords. I didn’t want passwords or message bodies to be sniffable, hence using TLS.

Red Hat ships a readme file with Postfix on FC2 that describes how to set up SMTP AUTH, but it misses some vital details. It omits any mention of saslauthd‘s inability to handle digest authentication, and it compounds the lapse by saying nothing about TLS. Thus, if you follow Red Hat’s instructions verbatim, you will configure Postfix in a way that is completely insecure. Hooray!

The first thing I did was create a self-signed SSL certificate. To run an SSL-capable server, you must have a certificate. Using a self-signed certificate means that mail clients will moan about the validity of the cert, but on the other hand, you’re not paying some CA for the privilege of 1K of data.

 make C /usr/share/ssl/certs /etc/postfix/server.pem 

I then told saslauthd to use PAM for authentication. This allows my users to use the same passwords for remote logins using ssh, IMAP mail access, and regular logins.

 perl pi.bak e 's,^MECH=.*,MECH=pam,' /etc/sysconfig/saslauthd 

I then enabled saslauthd, as root.

 /sbin/chkconfig saslauthd on /sbin/service saslauthd start 

Finally, I told Postfix to use SMTP AUTH and TLS. I did this as root, by adding the following lines to the end of /etc/postfix/main.cf.

 # Where to find the server certificate we generated earlier. smtpd_tls_cert_file = /etc/postfix/server.pem smtpd_tls_key_file = $smtpd_tls_cert_file # Enable use of TLS. smtpd_use_tls = yes # Reduce the time Postfix will sit idle after a client issues STARTTLS. smtpd_starttls_timeout = 60s # Renegotiate TLS sessions every hour. smtpd_tls_session_cache_timeout = 3600s # Enable SMTP AUTH. smtpd_sasl_auth_enable = yes # Don't allow anonymous logins.  DO NOT add noplaintext here, or # authentication with saslauthd will become impossible. smtpd_sasl_security_options = noanonymous # Some clients send malformed AUTH commands. broken_sasl_auth_clients = yes # Only allow AUTH when a TLS session is active, to reduce the # possibility for password and message body snooping. smtpd_tls_auth_only = yes # Only allow local (implicitly trusted) and authenticated users to # send mail. smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination 

With Postfix’s configuration updated, all I had to do was restart the server, again as root:

 /sbin/service postfix restart 

For me, at least, this configuration worked first time. I was lucky; the only blind alley that I investigated before I arrived at this end point was attempting to use digest authentication. A quick Google search indicated the problem, and it’s been plain sailing since.

Posted in software

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>