Mailinglist Archive: opensuse (1690 mails)

< Previous Next >
Re: [opensuse] Configure smtp_auth/postfix/dovecot for mobile device relay - quick howto - request for comment
On 11/02/2011 06:42 PM, David C. Rankin wrote:
Guys,

After recently wading through Postfix/Dovecot/SASL auth & TLS configuration to
allow my phone to relay across my server over 3G, I have put together a quick
howto that I would like to get comment on. Hopefully, this will also save others
from stumbling through the configuration from scratch. Please add your comments
and suggestions in-line below to help tighten security and make the howto more
useful.

This setup allows for normal smtp traffic on port 25 and sasl_authentication on
port 587.

The configuration is actually simple. The configuration just requires that you
configure the postfix allow smtp on port 587 with sasl auth and TLS encryption;
configure dovecot to provide authentication via a socket; finally generate a ssl
cert and key for TLS to use during authentication (dovecot default cert and key
works fine). The only difficulty involved is getting all the pieces in the right
places. (which I'm not at all sure I have accomplished, but it works quite well)


1. Postfix Configuration

<snip>

2. saslauthd configuration

<snip>

3. Dovecot Configuration

<snip>

4. Creating TLS Certificates

OpenSuSE provides a script with the dovecot package that will create the certs
for you in a slightly different manner. The script is
/usr/share/doc/packages/dovecot/mkcert.sh Before running, set your ssl config in
/usr/share/doc/packages/dovecot/dovecot-openssl.cnf. (otherwise you will be
prompted for it) NOTE: the mkcert.sh script will NOT overwrite existing
certificates, so if you have already generated your certificates and need to do
it again, then either edit the script and comment out all the 'if' statements or
delete your current dovecot.pem files from /etc/ssl/{certs,private} directories.
The certificates are automatically placed in /etc/ssl/cert and /etc/ssl/private.

These will work fine for sasl authentication. If you want to generate separate
certificates, you can do so manually with the following:

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days
3650

Don't foget to move the keys to their final location and adjust the cert and key
locations in /etc/postfix/main.cf and /etc/dovecot/dovecot.conf above.


OK, I'm amending the TLS cert creation part of the howto. There is no need to generate the server key, signing request or cert before generating your TLS cert and key. The easiest way to generate the TLS cert and key to use with saslauthd is the exact same way you generate the dovecot cert and key. Simply create a short ssl.cnf file (to avoid having to type the information when prompted) and then issue the following:

openssl req -new -x509 -nodes -config ./ssl.cnf -out yourCert.pem -keyout yourKey.pem -days 365

An example ./ssl.cnf file is:

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=US

# State or Province Name (full name)
ST=YourState

# Locality Name (eg. city)
L=YourCity

# Organization (eg. company)
O=Your Company

# Organizational Unit Name (eg. section)
OU=YourOU

# Common Name (*.example.com is also possible)
CN=*.yourTLD.com

# E-mail contact
emailAddress=postmaster@xxxxxxxxxxx

[ cert_type ]
nsCertType = server



5. Restarting the servers

<snip>

6. iPhone Configuration

<snip>


--
David C. Rankin, J.D.,P.E.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References