There are times where SELinux just does not want to play nice. For instance, after installing ClamAV I began running into problems where if I did not turn off SELinux while ClamAV was running, then SMTP traffic would fail. To fix this issue we must first look at the messages file under /var/log. Within this file we will see error messages like:
setroubleshoot: SELinux is preventing cleanup (postfix_cleanup_t) "search" to ./clamav (clamd_var_lib_t).

Which tells you to run the command:
sealert -l a1bc9b39-80a2-4f2e-963f-12daf766a8d4

Usually the report is very good and diagnosing and telling you which booleans to activate, however in this instance we have to create our own module.

First: Download and install selinux-policy-devel
Second: Parse through the raw audit messages. We are looking for two things; message type and comm name.
Third: Run the ausearch command and pipe it to audit2allow
For instance: ausearch -m AVC --comm cleanup | audit2allow -M ClamAV

Once the files have been generated then run: semodule -i ClamAV.pp and see if the problem has been resolved. If not, tail the messages log again to see if there is any additional SEAlerts that you should be aware of.

In running my periodic Nessus scans, it picked up a few medium severity vulnerabilities against Dovecot. One was “SSL Anonymous Cipher Suites Supported” and the other, “SSL Weak Cipher Suites Supported.”

Look in the Dovecot config file located in /etc/dovecot.conf under “SSL ciphers to use” and you will see:
ssl_cipher_list = ALL:!LOW:!MEDIUM

To disable these weak ciphers change this to:
ssl_cipher_list = ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA

Run the Nessus scan again and those two vulnerabilities go away

First we need to create our certificates. To create a certificate authority download the openssl-perl package through Yum:
———————————————————–
yum install openssl-perl
———————————————————–

Then issue the following command to create the CA certificate.
———————————————————–
./CA.pl -newca
———————————————————–

After this process is done we need to create the certificate request and key. Once the certificate request has been generated you then need to have the pem file signed by the CA.
———————————————————–
openssl req -new -days 365 -newkey rsa:2048 -keyout newkey.key -out newreq.pem
openssl ca -out post_signed_cert.pem -infiles newreq.pem
———————————————————–

Create a directory on the Postfix server under the /etc/pki directory called postfix, place these files there, and change the permissions on the files.
———————————————————–
chmod 0400 *
———————————————————–

Add the following lines at the bottom of the main.cf file for Postfix
———————————————————–
#SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

#HELO Restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
———————————————————–

Next uncomment the submission line in the master.cf file.
———————————————————–
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
———————————————————–

We now need to tie it into Dovecot. Go to the auth default section of the configuration file and add/edit the following lines.
———————————————————–
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
———————————————————–

Restart the Postfix and Dovecot services.
———————————————————–
service postfix restart
service dovecot restart
———————————————————–

In order to test to make sure SSL/TLS is working we will need to telnet to the port and run a few commands.
———————————————————–
$ telnet localhost 25
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 smtp.example.com ESMTP Postfix
ehlo smtp.example.com
250-smtp.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
———————————————————–

What you are looking for is STARTTLS, this will tell you that SSL/TLS is activated. To make sure that the certificates are working correctly type: STARTTLS which should say 220 2.0.0 Ready to start TLS. If it says anything else then there is something wrong and you will need to go back and fix it.

Postfix Install
To create a functional SMTP server, first you need to install Postfix by running
———————————————————–
yum install postfix
———————————————————–

Check to make sure that your hostname also has your fully qualified domain name.
———————————————————–
echo $HOSTNAME
———————————————————–
If it does not have your domain, then you must add it to the configuration file.
———————————————————–
myhostname = smtp.example.com
———————————————————–

You must also make your SMTP server listen on an interface besides the localhost. Uncomment:
———————————————————–
inter_interfaces = localhost
-----------------------------------------------------------