Archive for November, 2009

Postfix and SSL

First we need to create our certificates. To create a certificate authority download the openssl-perl package through Yum:
———————————————————–
yum install openssl-perl
———————————————————–

Then issue the following command to create the CA certificate.
———————————————————–
./CA.pl -newca
———————————————————–

After this process is done we need to create the certificate request and key. Once the certificate request has been generated you then need to have the pem file signed by the CA.
———————————————————–
openssl req -new -days 365 -newkey rsa:2048 -keyout newkey.key -out newreq.pem
openssl ca -out post_signed_cert.pem -infiles newreq.pem
———————————————————–

Create a directory on the Postfix server under the /etc/pki directory called postfix, place these files there, and change the permissions on the files.
———————————————————–
chmod 0400 *
———————————————————–

Add the following lines at the bottom of the main.cf file for Postfix
———————————————————–
#SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

#TLS
smtpd_tls_key_file = /etc/pki/postfix/private/postkey.key
smtpd_tls_cert_file = /etc/pki/postfix/certs/post_signed_cert.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may

#HELO Restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
———————————————————–

Next uncomment the submission line in the master.cf file.
———————————————————–
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
———————————————————–

We now need to tie it into Dovecot. Go to the auth default section of the configuration file and add/edit the following lines.
———————————————————–
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
———————————————————–

Restart the Postfix and Dovecot services.
———————————————————–
service postfix restart
service dovecot restart
———————————————————–

In order to test to make sure SSL/TLS is working we will need to telnet to the port and run a few commands.
———————————————————–
$ telnet localhost 25
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 smtp.example.com ESMTP Postfix
ehlo smtp.example.com
250-smtp.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
———————————————————–

What you are looking for is STARTTLS, this will tell you that SSL/TLS is activated. To make sure that the certificates are working correctly type: STARTTLS which should say 220 2.0.0 Ready to start TLS. If it says anything else then there is something wrong and you will need to go back and fix it.

Postfix and ClamAV with RHEL/CentOS

Postfix Install
To create a functional SMTP server, first you need to install Postfix by running
———————————————————–
yum install postfix
———————————————————–

Check to make sure that your hostname also has your fully qualified domain name.
———————————————————–
echo $HOSTNAME
———————————————————–
If it does not have your domain, then you must add it to the configuration file.
———————————————————–
myhostname = smtp.example.com
———————————————————–

You must also make your SMTP server listen on an interface besides the localhost. Uncomment:
———————————————————–
inter_interfaces = localhost
-----------------------------------------------------------

To:
-----------------------------------------------------------
inet_interfaces = all
-----------------------------------------------------------

Now edit the configuration to allow trusted networks to relay emails. In most situations uncommenting:
-----------------------------------------------------------
mynetworks_style = subnet
-----------------------------------------------------------
should be sufficient, however if you are allowing a larger network or deal with multiple networks then manually add the networks that will be trusted.
-----------------------------------------------------------
mynetworks = 127.0.0.0/8, 192.168.1.0/24
-----------------------------------------------------------

ClamAV
Download and install clamav, clamav-db, clamd, clamav-milter from http://packages.sw.be/clamav/

Edit the init scripts to allow Postfix to read the clamav-milter socket. Add the following lines in the start, stop, and restart case statements.
-----------------------------------------------------------
chmod 0775 /var/clamav/clmilter.socket
chown clamav.postfix /var/clamav/clmilter.socket
-----------------------------------------------------------

If these settings are not set, Postfix will not be able to correctly communicate with the ClamAV milter and will receive a
warning: connect to Milter service unix:/var/clama/clmilter.socket: Permission denied
in the mail log

Now add:
-----------------------------------------------------------
smtpd_milters = unix:/var/clamav/clmilter.socket
non_smtpd_milters = unix:/var/clamav/clmilter.socket
-----------------------------------------------------------
to the bottom of main.cf and restart the Postfix service.

Now add freshclam to the cron to get automatic updates and everything should be all set.

Return top