On 11/02/2011 06:42 PM, David C. Rankin wrote:
Guys,
After recently wading through Postfix/Dovecot/SASL auth & TLS configuration to allow my phone to relay across my server over 3G, I have put together a quick howto that I would like to get comment on. Hopefully, this will also save others from stumbling through the configuration from scratch. Please add your comments and suggestions in-line below to help tighten security and make the howto more useful.
This setup allows for normal smtp traffic on port 25 and sasl_authentication on port 587.
The configuration is actually simple. The configuration just requires that you configure the postfix allow smtp on port 587 with sasl auth and TLS encryption; configure dovecot to provide authentication via a socket; finally generate a ssl cert and key for TLS to use during authentication (dovecot default cert and key works fine). The only difficulty involved is getting all the pieces in the right places. (which I'm not at all sure I have accomplished, but it works quite well)
1. Postfix Configuration
<snip>
2. saslauthd configuration
<snip>
3. Dovecot Configuration
<snip>
4. Creating TLS Certificates
OpenSuSE provides a script with the dovecot package that will create the certs for you in a slightly different manner. The script is /usr/share/doc/packages/dovecot/mkcert.sh Before running, set your ssl config in /usr/share/doc/packages/dovecot/dovecot-openssl.cnf. (otherwise you will be prompted for it) NOTE: the mkcert.sh script will NOT overwrite existing certificates, so if you have already generated your certificates and need to do it again, then either edit the script and comment out all the 'if' statements or delete your current dovecot.pem files from /etc/ssl/{certs,private} directories. The certificates are automatically placed in /etc/ssl/cert and /etc/ssl/private.
These will work fine for sasl authentication. If you want to generate separate certificates, you can do so manually with the following:
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Don't foget to move the keys to their final location and adjust the cert and key locations in /etc/postfix/main.cf and /etc/dovecot/dovecot.conf above.
OK, I'm amending the TLS cert creation part of the howto. There is no need to generate the server key, signing request or cert before generating your TLS cert and key. The easiest way to generate the TLS cert and key to use with saslauthd is the exact same way you generate the dovecot cert and key. Simply create a short ssl.cnf file (to avoid having to type the information when prompted) and then issue the following: openssl req -new -x509 -nodes -config ./ssl.cnf -out yourCert.pem -keyout yourKey.pem -days 365 An example ./ssl.cnf file is: [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) C=US # State or Province Name (full name) ST=YourState # Locality Name (eg. city) L=YourCity # Organization (eg. company) O=Your Company # Organizational Unit Name (eg. section) OU=YourOU # Common Name (*.example.com is also possible) CN=*.yourTLD.com # E-mail contact emailAddress=postmaster@yourTLD.com [ cert_type ] nsCertType = server
5. Restarting the servers
<snip>
6. iPhone Configuration
<snip> -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org