|
|
| Line 2: |
Line 2: |
|
| |
|
|
| |
|
| Every mail server administrator dreads his or her server becoming compromised by spammers. A lot of effort, time and even money is spent on securing mail servers and making sure that the servers do not become open relay.
| | ==Siapkan Dovecot== |
|
| |
|
| To combat against spambots in an SMTP server, Postfix in general uses the mynetworks parameter to specify the trusted sender network i.e., LAN. In a typical scenario, the users stationed in the internal LAN are legitimate users, and Postfix will happily accept SMTP requests from them, and forward the emails towards destination. Although this used to be the standard practice in the past, today's users want mobility. Everyone wants to be able to send/receive emails in their phones/tablets/laptops at work, home, on the go, or even from their favorite coffee shop around the corner. For people who are in the fields for critical services, a simple email alert could save a lot of time, effort and money.
| | Edit agar dovecot siap digunakan sebagai auth server untuk postfix |
|
| |
|
| To cope up with the mobility need, Postfix started to support another method of validating users. Simple Authentication and Security Layer (SASL) is a framework that can be used by many connection-oriented Internet protocols for securing data, servers and users. With SASL enabled, Postfix will not accept any incoming SMTP connections without proper authentication. As smart spammer can imitate a legitimate email account, no SMTP from even internal users are accepted without authentication.
| | vim /etc/dovecot/conf.d/10-master.conf |
| | |
| This tutorial will focus on setting up a Postfix SMTP server to use Dovecot SASL for user authentication. As Dovecot provides mechanisms for user authentication, Postfix will simply ask Dovecot to do the work for it. That way, there is no need to re-invent the wheel.
| |
| Prerequisites
| |
| | |
| A working mail server running on postfix and dovecot2
| |
| SSL/TLS support for the mail server3
| |
|
| |
|
| ==Preparing Dovecot==
| | Pastikan |
| | |
| Backing up configuration files prior to modification is always a good idea.
| |
| | |
| Since Dovecot will be the one doing most of the work, we will start configuration with Dovecot.
| |
| | |
| First of all, a listener is added to Dovecot. Postfix will use this listener to communicate with Dovecot.
| |
| | |
| vim /etc/dovecot/conf.d/10-master.conf
| |
|
| |
|
| ## The listener is added under the service auth section ## | | ## The listener is added under the service auth section ## |
| Line 33: |
Line 19: |
| } ## end service auth | | } ## end service auth |
|
| |
|
| The above definition places the socket to be used by Postfix at /var/spool/postfix/private/auth with permission 0660 for Postfix only.
| | Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix. |
|
| |
|
| vim /etc/dovecot/conf.d/10-auth.conf | | vim /etc/dovecot/conf.d/10-auth.conf |
| Line 39: |
Line 25: |
| auth_mechanisms = plain login | | auth_mechanisms = plain login |
|
| |
|
| The above parameter provides the plain login authentication mechanisms for Postfix.
| | plain authetication mechanism untuk Postfix |
|
| |
|
| Finally, for the changes to take effect, we restart the Dovecot service as follows.
| | restart Dovecot |
|
| |
|
| service dovecot restart | | service dovecot restart |
| Line 47: |
Line 33: |
| ==Preparing Postfix== | | ==Preparing Postfix== |
|
| |
|
| Necessary SST/TLS and SASL parameters are added in the configuration file main.cf.
| | Masukan parameter SASL ke config file |
|
| |
|
| vim /etc/postfix/main.cf | | vim /etc/postfix/main.cf |
| Line 86: |
Line 72: |
|
| |
|
|
| |
|
| The official guideline can be consulted for more details on available parameters and their function.
| |
|
| |
|
| SSL/TLS specific parameters are added to the server as well. | | Masukan SSL/TLS parameter ke config file |
|
| |
|
| vim /etc/postfix/main.cf | | vim /etc/postfix/main.cf |
| Line 114: |
Line 99: |
| smtpd_tls_session_cache_timeout = 3600s | | smtpd_tls_session_cache_timeout = 3600s |
| | | |
| Now Postfix is reloaded with updated settings.
| | ==Restart Postfix== |
| | |
|
| |
|
| service postfix restart | | service postfix restart |
|
| |
|
| At this point, Postfix will not allow SMTP connections without authentication.
| |
| Mail User Agent Configuration
| |
|
| |
| Your mail client is configured with mandatory authentication for SMTP as shown below.
| |
|
| |
| Troubleshooting
| |
|
| |
| If SASL is not working correctly, the following troubleshooting may help.
| |
| Enabling Verbose Postfix Logs
| |
|
| |
| To increase the level of output in Postfix log, the "-v" parameter can be added in the following file.
| |
| root@mail:/etc/postfix# vim /etc/postfix/master.cf
| |
|
| |
| smtp inet n - - - - smtpd -v
| |
|
| |
| Now there should be more verbose information the log file at /var/log/mail.log, which can help with the troubleshooting process.
| |
| Telnet to port 25
| |
|
| |
| telnet connection to port 25 should be successful.
| |
| $ telnet mail.example.tst 25
| |
|
| |
| ehlo mail.example.tst
| |
| 250- mail.example.tst
| |
| 250-PIPELINING
| |
| 250-SIZE 10240000
| |
| 250-VRFY
| |
| 250-ETRN
| |
| 250-STARTTLS
| |
| 250-AUTH PLAIN LOGIN
| |
| 250-AUTH=PLAIN LOGIN
| |
| 250-ENHANCEDSTATUSCODES
| |
| 250-8BITMIME
| |
| 250 DSN
| |
|
| |
| Amongst other features that the SMTP server advertises, the STARTTLS and AUTH features should be available.
| |
|
| |
| Sending mails using telnet should fail, and no authentication information should be sent to the server.
| |
| $ telnet mail.example.tst 25
| |
|
| |
| ehlo mail.example.tst
| |
| mail from:sarmed@example.tst
| |
| 250 2.1.0 Ok
| |
| rcpt to:sarmed@example.tst
| |
| 554 5.7.1 : Relay access denied
| |
|
| |
| Tuning parameter – mynetworks
| |
|
| |
| Earlier in the tutorial, the Postfix server was configured to allow SMTP connections originated in the trusted network i.e., mynetworks, as shown in /etc/postfix/main.cf.
| |
|
| |
| smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
| |
|
| |
| To make sure that mails originating from mynetworks do not pass through unauthenticated, /etc/postfix/main.cf can be modified as follows.
| |
|
| |
| smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
| |
|
| |
|
| Based on the requirements, permit_mynetworks can be allowed or denied later on.
| | ==Cek Relay== |
|
| |
|
| To sum up, SASL can provide additional security to a mail server by enforcing mandatory authentication to users for SMTP requests. As users may use a mail server from anywhere, SASL can meet with the security requirements that do not conflict with the mobility of users.
| | $ telnet mail.example.tst 25 |
|
| |
|
| Hope this helps.
| | ehlo mail.example.tst |
| | 250- mail.example.tst |
| | 250-PIPELINING |
| | 250-SIZE 10240000 |
| | 250-VRFY |
| | 250-ETRN |
| | 250-STARTTLS |
| | 250-AUTH PLAIN LOGIN |
| | 250-AUTH=PLAIN LOGIN |
| | 250-ENHANCEDSTATUSCODES |
| | 250-8BITMIME |
| | 250 DSN |
|
| |
|
|
| |
|
Sumber: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
Siapkan Dovecot
Edit agar dovecot siap digunakan sebagai auth server untuk postfix
vim /etc/dovecot/conf.d/10-master.conf
Pastikan
## The listener is added under the service auth section ##
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
} ##end listener
} ## end service auth
Definisi diatas akan membuka socket /var/spool/postfix/private/auth dengan permission 0660 untuk Postfix.
vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
plain authetication mechanism untuk Postfix
restart Dovecot
service dovecot restart
Preparing Postfix
Masukan parameter SASL ke config file
vim /etc/postfix/main.cf
#### SASL ####
## specify SASL type ##
smtpd_sasl_type = dovecot
## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
smtpd_sasl_path = private/auth
## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_local_domain = example.tst
## SASL default policy ##
smtpd_sasl_security_options = noanonymous
## for legacy application compatibility ##
broken_sasl_auth_clients = yes
## enable SMTP auth ##
smtpd_sasl_auth_enable = yes
## smtp checks ##
## these checks are based on first match, so sequence is important ##
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
...
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_relay_domains
Masukan SSL/TLS parameter ke config file
vim /etc/postfix/main.cf
#### SSL/TLS parameters ####
## 'encrypt' will enforce SSL. Not recommended for live servers ##
smtpd_tls_security_level = may
#smtpd_tls_security_level = encrypt
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
## loglevel 3 or 4 can be used during troubleshooting ##
smtpd_tls_loglevel = 1
## path to certificate and key file ##
smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem
smtpd_use_tls=yes
## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s
Restart Postfix
service postfix restart
Cek Relay
$ telnet mail.example.tst 25
ehlo mail.example.tst
250- mail.example.tst
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Referensi
