Postfix: Authentikasi SMTP untuk Client: Difference between revisions

From OnnoCenterWiki
Jump to navigationJump to search
← Older edit
Onnowpurbo (talk | contribs)
69,477 edits
Onnowpurbo (talk | contribs)
69,477 edits
Onnowpurbo (talk | contribs)
69,477 edits
 
(8 intermediate revisions by the same user not shown)
Line 2: Line 2:




12. SMTP Authentication for Mail clients
==Siapkan Dovecot==
Prev Next
12. SMTP Authentication for Mail clients


This chapter deals with Authentication for mail clients that need to relay through your Postfix server. To keep in mind. There are several apps within Postfix that take care of correct mail delivery. In this chapter our focus will be on the smtpd daemon, which receives mail from clients before deciding what to do with it and passing it on to other apps.
Edit agar dovecot siap digunakan sebagai auth server untuk postfix
[Note] Note


You can tell we are dealing with the smtpd, because most of our configuration settings will start with smtpd_.
vim /etc/dovecot/conf.d/10-master.conf
12.1. Enable SASL support


To enable SASL support in Postfix we must configure some settings in the main.cf.
Pastikan


[root@example.com]# vi /etc/postfix/main.cf
## The listener is added under the service auth section ##
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
        user = postfix
        group = postfix
  } ##end listener
} ## end service auth


You will notice that there is no section in the main.cf that offers preinstalled settings. Therefore we will add a new section on our own.
Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.


We add the following lines:
vim /etc/dovecot/conf.d/10-auth.conf


# SASL SUPPORT FOR CLIENTS
auth_mechanisms = plain login
#
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail clients.
#


12.1.1. Enable SMTP AUTH
plain authetication mechanism untuk Postfix


The first thing we need to do is to tell Postfix to enable SMTP AUTH. We do this by adding the following line:
restart Dovecot


smtpd_sasl_auth_enable = yes
service dovecot restart


12.1.2. Security options


There's a really nice, but insecure fallback feature in SMTP AUTH when authenticating. If one mechanism doesn't work it'll try another one. Insecure? The idea is nice, but look how it's done...


It appears that clients try authentication methods in the order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) which means that if you disable plaintext passwords, clients will log in anonymously, even when they should be able to use CRAM-MD5. So, if you disable PLAIN logins, disable ANONYMOUS logins too. Postfix treats ANONYMOUS login as no authentication.
==Generate Certificate==


Since we want to use the plaintext mechanism in this HOWTO, but not anonymous we'll simple set:
Buat certificate untuk SSL


smtpd_sasl_security_options = noanonymous
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr


This will keep Postfix from offering anonymous logins.
akan keluar
12.1.3. Passing the realm


When you use method sasldb Cyrus-SASL needs to know a value from a parameter that's called realm. It's about the same as a domain. In Cyrus-SASL this is used to authenticate users with the same username, but from different domains (e.g. joe@domain.com, joe@example.com).
Generating a 2048 bit RSA private key
......................+++
..................+++
writing new private key to 'onnocenter.id.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:DKI   
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id
Email Address []:onno@onnocenter.id
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:OnnoCenter


Since our users don't pass the realm when they authenticate, but Cyrus-SASL requires it in order to work properly we set a default value in Postfix. Postfix will append this when it hands over data for Cyrus-SASL to authenticate our relay-users.
==Preparing Postfix==


In our HOWTO we'll simply reuse a value that we've set when we did or first configuration:
Masukan parameter SASL ke config file


smtpd_sasl_local_domain = $myhostname
vim /etc/postfix/main.cf


[Note] Note
#### SASL ####
## specify SASL type ##
smtpd_sasl_type = dovecot


If you plan to use sasldb you might want to add this to your paper that holds the parameters that are specific to your setting.
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
12.1.4. Supporting non-standard mail clients
smtpd_sasl_path = private/auth
## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_local_domain = $myhostname
## SASL default policy ##
smtpd_sasl_security_options = noanonymous
## for legacy application compatibility ##
broken_sasl_auth_clients = yes
## enable SMTP auth ##
smtpd_sasl_auth_enable = yes
## smtp checks ##
## these checks are based on first match, so sequence is important ##
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination


The broken_sasl_auth_clients parameter controls interoperability with SMTP clients that do not recognize that Postfix supports RFC 2554 (AUTH command). Examples of such clients are Microsoft Outlook Express version 4 and Microsoft Exchange version 5.0.
Ringkas-nya


Specify yes to have Postfix also advertise SMTP AUTH in a non-standard way.
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
...  
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    check_relay_domains


broken_sasl_auth_clients = yes


Now we have configured Postfix to enable SASL support, but one last step is still missing. We must tell Postfix that SASL authenticated clients are allowed to relay. So keep your editor on main.cf open...
12.1.5. Enable relaying for SMTP AUTH users


There are a number of values that we can add to the following parameter. For the moment we stick with a minimum to keep our setup simple and under control.
Masukan SSL/TLS parameter ke config file


Search for relay_domains = and add the following line below:
vim /etc/postfix/main.cf


smtpd_recipient_restrictions =
#### SSL/TLS parameters ####
  permit_sasl_authenticated,
  permit_mynetworks,
## 'encrypt' will enforce SSL. Not recommended for live servers ##
  check_relay_domains
smtpd_tls_security_level = may
#smtpd_tls_security_level = encrypt
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
## loglevel 3 or 4 can be used during troubleshooting ##
smtpd_tls_loglevel = 1
## path to certificate and key file ##
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes
## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


12.1.6. Configuration overview


When you are done with the configurations from above, your should have added the following lines:


# SASL SUPPORT FOR CLIENTS
Ringkas-nya
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail clients.
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
...
smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  check_relay_domains


If you have entered all of this you save the file. Now we will have to make Postfix reread it's configuration.
12.2. Reload Postfix


You can always stop and start Postfix, but this takes time which you may not have when your online and your have lots of traffic. So we rather have Postfix reread it's configuration by ordering it to reload. Still it will not deliver or receive messages while it reloads, but the downtime will be shorter.
smtpd_tls_security_level = encrypt
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


[root@example.com]# postfix reload
==Restart Postfix==
postfix/postfix-script: refreshing the Postfix mail system


12.3. Check for SMTP AUTH support
service postfix restart


So, now that we've have enabled SASL authentication in the configuration we need to verify that Postfix serves us the new feature. We check from a remote host and telnet to the Postfix server.


S: 220 mail.example.com ESMTP Postfix
==Cek Relay==
C: EHLO example.com
S: 250-mail.example.com
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-VRFY
S: 250-ETRN
S: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
S: 250-XVERP
S: 250 8BITMIME
C: quit
S: 221 Bye


Notice the two new lines?
$ telnet mail.example.tst 25


250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
ehlo  mail.example.tst
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250- mail.example.tst
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN  
250-AUTH=PLAIN LOGIN  
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


These are the lines that Postfix issues when it offers the use of SMTP AUTH and we can see two things from looking at them:
12.3.1. Fallback feature


First let us remember the insecure fallback feature:


PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI is the order of the mechanisms in which a Mail client would try to authenticate to. If SASL issued ANONYMOUS in between LOGIN and DIGEST-MD5 we'd be lost or rather an open relay to every spammer in the world who knew this feature...
==Cek SMTP AUTH Support==
12.3.2. Broken clients


Did you notice that there are two lines that only differ in an extra = in between AUTH and PLAIN. The AUTH=PLAIN statement is the one that broken clients need in order to recognize that they may use SMTP AUTH.
Lakukan
[Note] Note


If you don't see all the mechanisms as pointed out in this HOWTO it means that you didn't install or compile all the SASL mechanisms. Please make sure that you have at least the following as we are going to need them in the HOWTO: PLAIN LOGIN
telnet onnocenter.id 25
12.4. Check if SMTP AUTH works


Before we start and configure a Mail client to relay mail using SMTP AUTH we do one more last check. If we pass this we know were done with server side SMTP AUTH configuration. In this step we will telnet to the server and pass our username and password just to see if we pass the authentication.
Harusnya keluar


Since we use PLAIN as mechanism we will have to pass our credentials plaintext. But hold, the credentials must be Base64 encoded, when we issue them. This can easily be done on our server. The basic command looks like this:
Connected to onnocenter.id.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


[root@example.com]# printf 'username\0username\0password' | mmencode
Buat password


If you rather use PERL it looks like this:
printf 'username\0username\0password' | mmencode


[root@example.com]# perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
atau


[Note] Note
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
 
Note that \0 appears twice in between the values? Make sure you don't forget them.
 
In our HOWTO we need to replace username and password with test and testpass. When we enter our command we get this:
 
[root@base readme]# printf 'test\0test\0testpass' | mmencode
dGVzdAB0ZXN0AHRlc3RwYXNz
 
So dGVzdAB0ZXN0AHRlc3RwYXNz is our Base64 encoded string that contains the username and password. Let's check out if this works. We start as usual and initiate the SMTP AUTH session by telling Postfix that we want to AUTH and also provide the mechanism PLAIN that we want to use in this test.
 
S: 220 mail.example.com ESMTP Postfix (1.1.7)
C: EHLO example.com
S: 250-mail.example.com
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-VRFY
S: 250-ETRN
S: 250-AUTH DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN
S: 250-AUTH=DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN
S: 250-XVERP
S: 250 8BITMIME
C: AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
S: 235 Authentication successful
C: QUIT
S: 221 Bye
 
We authenticated successfully. SMTP AUTH on server side is configured and we may now switch to a mail client thats a little more comfortable.
12.5. Configuring the Mail client
 
It's impossible to provide configurations for all mail clients available, so I try this: Developers and sysadmins like to work using the CLI. Regular users like to work with a GUI. In most cases this means MS Windows© and very often it boils down to Outlook. So I will provide an example of an Outlook configuration. If you run a different mail client you'll have to look how this is configured by yourself.
 
So what do we need to configure in Outlook in order to have the client authenticate itself before it tries to relay a message?
 
Open Extras --> Accounts --> mailaccount and switch to the server tab. Then check the box that reads: My server requires authentication.
 
Outlook Express: Properties for mail.example.com
 
That's all there need to be done. Save the setting and send a test mail.
12.6. Summary
 
Well that should be about everything. If it worked out as it should, you are running a Postfix server that does SMTP AUTH for mail clients. This HOWTO told you how to ensure that only those relay who should, but not how to keep SPAM away from their accounts. So if this is your first Postfix installation and you started with this HOWTO you probably might want to read about Postfix and UCE control next.
[Note] Note
 
Don't forget to set Postfix back to regular logging (edit master.cf) and you might also want to re-add your IP-range(s) to the $mynetworks parameter in main.cf.
 
If you want sasldb support when you SMTP AUTH clients, then you are just a few lines away from learning how to do that. Still you read all of this chapter, didn't you? If not, do it before you switch to sasldb. You won't be able to SMTP AUTH without enabling the Postfix-configuration we discussed in the lines above.


Lakukan seperti


printf 'test\0test\0testpass' | mmencode
dGVzdAB0ZXN0AHRlc3RwYXNz


Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.


Test authentication


Connected to localhost.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye


==Referensi==
==Referensi==
Line 206: Line 245:
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
* http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
* http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
* http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html

Latest revision as of 23:18, 7 May 2015

Sumber: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html


Siapkan Dovecot

Edit agar dovecot siap digunakan sebagai auth server untuk postfix 

vim /etc/dovecot/conf.d/10-master.conf

Pastikan 

## The listener is added under the service auth section ##
service auth { 
	unix_listener /var/spool/postfix/private/auth {
		mode = 0660
        	user = postfix
        	group = postfix
  	} ##end listener
} ## end service auth

Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix. 

vim /etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain login

plain authetication mechanism untuk Postfix

restart Dovecot 

service dovecot restart


Generate Certificate

Buat certificate untuk SSL 

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr

akan keluar 

Generating a 2048 bit RSA private key
......................+++
..................+++
writing new private key to 'onnocenter.id.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:DKI     
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id
Email Address []:onno@onnocenter.id 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:OnnoCenter

Preparing Postfix

Masukan parameter SASL ke config file 

vim /etc/postfix/main.cf

#### SASL ####
## specify SASL type ##
smtpd_sasl_type = dovecot

## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
smtpd_sasl_path = private/auth

## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_local_domain = $myhostname

## SASL default policy ##
smtpd_sasl_security_options = noanonymous

## for legacy application compatibility ##
broken_sasl_auth_clients = yes

## enable SMTP auth ##
smtpd_sasl_auth_enable = yes

## smtp checks ##
## these checks are based on first match, so sequence is important ##
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Ringkas-nya 

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
... 
smtpd_recipient_restrictions = 
   permit_sasl_authenticated, 
   permit_mynetworks, 
   check_relay_domains


Masukan SSL/TLS parameter ke config file 

vim /etc/postfix/main.cf

#### SSL/TLS parameters ####

## 'encrypt' will enforce SSL. Not recommended for live servers ##
smtpd_tls_security_level = may 
#smtpd_tls_security_level = encrypt 

smtpd_tls_received_header = yes 
smtpd_tls_auth_only = no 

## loglevel 3 or 4 can be used during troubleshooting ##
smtpd_tls_loglevel = 1 

## path to certificate and key file ##
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes 

## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes 

smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom


Ringkas-nya 


smtpd_tls_security_level = encrypt 
smtpd_tls_received_header = yes 
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1 
smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key
smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt
smtpd_use_tls=yes 
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom

Restart Postfix

service postfix restart


Cek Relay

$ telnet mail.example.tst 25

ehlo  mail.example.tst
250- mail.example.tst
250-PIPELINING 
250-SIZE 10240000 
250-VRFY 
250-ETRN 
250-STARTTLS 
250-AUTH PLAIN LOGIN 
250-AUTH=PLAIN LOGIN 
250-ENHANCEDSTATUSCODES 
250-8BITMIME 
250 DSN


Cek SMTP AUTH Support

Lakukan 

telnet onnocenter.id 25

Harusnya keluar 

Connected to onnocenter.id.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Buat password 

printf 'username\0username\0password' | mmencode

atau 

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'

Lakukan seperti 

printf 'test\0test\0testpass' | mmencode
dGVzdAB0ZXN0AHRlc3RwYXNz

Maka dGVzdAB0ZXN0AHRlc3RwYXNz adalah Base64 encoded string yang berisi username dan password.

Test authentication 

Connected to localhost.
Escape character is '^]'.
220 onnocenter.id ESMTP
ehlo onnocenter.id
250-onnocenter.id
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

Referensi

Retrieved from "https://lms.onnocenter.or.id/wiki/index.php?title=Postfix:_Authentikasi_SMTP_untuk_Client&oldid=43010"