[opensuse] Configure smtp_auth/postfix/dovecot for mobile device relay - quick howto - request for comment
Guys, After recently wading through Postfix/Dovecot/SASL auth & TLS configuration to allow my phone to relay across my server over 3G, I have put together a quick howto that I would like to get comment on. Hopefully, this will also save others from stumbling through the configuration from scratch. Please add your comments and suggestions in-line below to help tighten security and make the howto more useful. This setup allows for normal smtp traffic on port 25 and sasl_authentication on port 587. The configuration is actually simple. The configuration just requires that you configure the postfix allow smtp on port 587 with sasl auth and TLS encryption; configure dovecot to provide authentication via a socket; finally generate a ssl cert and key for TLS to use during authentication (dovecot default cert and key works fine). The only difficulty involved is getting all the pieces in the right places. (which I'm not at all sure I have accomplished, but it works quite well) 1. Postfix Configuration /etc/postfix/master.cf Most distributions provide /etc/postfix/master.cf with the configuration for submission on port 587 present, but commented out. Simply uncommenting the 'submission' line along with its options will enable submission on port 587, however you will need to add additional options to enable SASL authentication and TLS encrypted communication between the client and the server. For example 11.4 provides the master.cf file with the following: #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_client_restrictions=permit_sasl_authenticated,reject To enable sasl_auth and TLS, I use the following options in master.cf: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING After you have completed configuration for submitting mail on port 587, DO NOT FORGET to OPEN PORT 587 on your router. /etc/postfix/main.cf smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem smtpd_tls_key_file = /etc/ssl/private/dovecot.pem smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname 2. saslauthd configuration saslauthd will require a smtp.conf configuration file defining the authentication behavior. Normally, the default path for the sasl libraries are in /usr/lib/sasl2/. Placing the smtpd.conf file there will allow saslauthd to find it. The needed contents of smtpd.conf are: [nirvana:~/] # cat /usr/lib/sasl2/smtpd.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux mech_list: plain login log_level: 7 3. Dovecot Configuration This configuration works with dovecot2. In 11.4, the default install is still dovecot 1.2. This will work with simple modification for dovecot 1, but you will need to consult the dovecot wiki for the changes required. All you need to do is tell dovecot the type of authentication to use and the location for the socket. dovecot2 will create the 'auth' socket on restart. /etc/dovecot/dovecot.conf: # 2.0.1: dovecot.conf auth_mechanisms = plain login passdb { driver = pam } userdb { driver = passwd } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl_cert = Mail, Contacts, Calendars -> (choose account) -> Account -> Outgoing Mail Server (SMTP) -> Primary Server and set the entries as follows: Server : ON Host Name : your.server.name User Name : your-user-name Password : your-password Use SSL : ON Authenitcation : password Server Port : 587 If your server is setup correctly, then the phone will verify your settings and you are done. If not, then you can troubleshoot by looking at the mail log. Go ahead and display your mail log on your server before sending a test mail. (as root: tailf /var/log/mail) Then to confirm operation, turn off WiFi on your phone and then send a test mail. A successful login will appear in the log as something like: Nov 2 14:50:11 servername dovecot: imap-login: Login: user=<your-usernm>, method=PLAIN, rip=166.205.10.56, lip=192.168.6.17, mpid=11100, TLS Note the TLS connection. If your phone fails to verify the account settings, you will usually get helpful information in the log file about why it didn't. Look for TLS failing to start due to certificate problems or auth mechanisms and then revisit the sections above. All - fill in the suggestions and additions and hopefully this will get turned into a wiki somewhere. Thanks. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/02/2011 06:42 PM, David C. Rankin wrote:
Guys,
After recently wading through Postfix/Dovecot/SASL auth & TLS configuration to allow my phone to relay across my server over 3G, I have put together a quick howto that I would like to get comment on. Hopefully, this will also save others from stumbling through the configuration from scratch. Please add your comments and suggestions in-line below to help tighten security and make the howto more useful.
This setup allows for normal smtp traffic on port 25 and sasl_authentication on port 587.
The configuration is actually simple. The configuration just requires that you configure the postfix allow smtp on port 587 with sasl auth and TLS encryption; configure dovecot to provide authentication via a socket; finally generate a ssl cert and key for TLS to use during authentication (dovecot default cert and key works fine). The only difficulty involved is getting all the pieces in the right places. (which I'm not at all sure I have accomplished, but it works quite well)
1. Postfix Configuration
<snip>
2. saslauthd configuration
<snip>
3. Dovecot Configuration
<snip>
4. Creating TLS Certificates
OpenSuSE provides a script with the dovecot package that will create the certs for you in a slightly different manner. The script is /usr/share/doc/packages/dovecot/mkcert.sh Before running, set your ssl config in /usr/share/doc/packages/dovecot/dovecot-openssl.cnf. (otherwise you will be prompted for it) NOTE: the mkcert.sh script will NOT overwrite existing certificates, so if you have already generated your certificates and need to do it again, then either edit the script and comment out all the 'if' statements or delete your current dovecot.pem files from /etc/ssl/{certs,private} directories. The certificates are automatically placed in /etc/ssl/cert and /etc/ssl/private.
These will work fine for sasl authentication. If you want to generate separate certificates, you can do so manually with the following:
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Don't foget to move the keys to their final location and adjust the cert and key locations in /etc/postfix/main.cf and /etc/dovecot/dovecot.conf above.
OK, I'm amending the TLS cert creation part of the howto. There is no need to generate the server key, signing request or cert before generating your TLS cert and key. The easiest way to generate the TLS cert and key to use with saslauthd is the exact same way you generate the dovecot cert and key. Simply create a short ssl.cnf file (to avoid having to type the information when prompted) and then issue the following: openssl req -new -x509 -nodes -config ./ssl.cnf -out yourCert.pem -keyout yourKey.pem -days 365 An example ./ssl.cnf file is: [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) C=US # State or Province Name (full name) ST=YourState # Locality Name (eg. city) L=YourCity # Organization (eg. company) O=Your Company # Organizational Unit Name (eg. section) OU=YourOU # Common Name (*.example.com is also possible) CN=*.yourTLD.com # E-mail contact emailAddress=postmaster@yourTLD.com [ cert_type ] nsCertType = server
5. Restarting the servers
<snip>
6. iPhone Configuration
<snip> -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
David C. Rankin wrote:
openssl req -new -x509 -nodes -config ./ssl.cnf -out yourCert.pem -keyout yourKey.pem -days 365
An example ./ssl.cnf file is:
The default is /etc/ssl/openssl.cnf - personally I wouldn't use another file (unless circumstances somehow dictated it).
# Common Name (*.example.com is also possible) CN=*.yourTLD.com
Why not use the actual hostname? -- Per Jessen, Zürich (9.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2011 01:17 AM, Per Jessen wrote:
David C. Rankin wrote:
<snip>
# Common Name (*.example.com is also possible) CN=*.yourTLD.com
Why not use the actual hostname?
It really has to do with CNAME or server aliases in /etc/hosts. Say one box is also known as 'www.yourTLD.com', 'hostname.yourTLD.com', 'ftp.yourTLD.com', 'mail.yourTLD.com', etc... My understanding is the '*.example.com' CN prevents any potential conflict from a cert standpoint when SSL/TLS authentication is invoked from the different servers (ssh, sftp, saslauthd, https, etc...) I've never really gotten a concise "why?" answer, but that is my best guestimate at the legitimate reason why... Anybody else with more info on this, please chime in, I'm curious as well... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
David C. Rankin wrote:
On 11/08/2011 01:17 AM, Per Jessen wrote:
David C. Rankin wrote:
<snip>
# Common Name (*.example.com is also possible) CN=*.yourTLD.com
Why not use the actual hostname?
It really has to do with CNAME or server aliases in /etc/hosts. Say one box is also known as 'www.yourTLD.com', 'hostname.yourTLD.com', 'ftp.yourTLD.com', 'mail.yourTLD.com', etc...
Right, that's fine, but the machine really has just one name - which is returned when you do a reverse lookup of the IP. (with apache SNI you can have multiple certificates per IP, but that's a different story).
My understanding is the '*.example.com' CN prevents any potential conflict from a cert standpoint when SSL/TLS authentication is invoked from the different servers (ssh, sftp, saslauthd, https, etc...)
There is no conflict, it's the hostname that counts. For instance, I've got a mailserver that hosts a couple of virtual domains, so it can be reached as mail.example1.com and mail.example2.com. The actual name is "mail.example.com" and that matches the CN (for IMAP and SASL). -- Per Jessen, Zürich (8.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
David C. Rankin
-
Per Jessen