Guida a Postfix con SMTP-AUTH e TLS

Questo documento descrive come installare un mail server basato su Postfix con SMTP-AUTH e TLS.
E’ un riadattamento di un documento in inglese.

- Prendiamo i sorgenti
Abbiamo bisogno dei seguenti software: openssl, cyrus-sasl2, postfix e la patch TLS per postfix.
Installeremo il software dalla directory /tmp.
cd /tmp
wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
wget --passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz
wget --passive-ftp ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix/postfix-2.0.16.tar.gz
wget --passive-ftp ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz

- Installare OpenSSL
tar xvfz openssl-0.9.7c.tar.gz
cd openssl-0.9.7c
./config
make
make install

- Installare Cyrus-sasl
cd /tmp
tar xvfz cyrus-sasl-2.1.17.tar.gz
cd cyrus-sasl-2.1.17
./configure --enable-anon --enable-plain --enable-login --disable-krb4 --with-saslauthd=/var/run/saslauthd --with-pam --with-openssl=/usr/local/ssl --with-plugindir=/usr/local/lib/sasl2 --enable-cram --enable-digest --enable-otp (1 line!)
make
make install
Se /usr/lib/sasl2 esiste:
mv /usr/lib/sasl2 /usr/lib/sasl2_orig
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
Creare il file /usr/local/lib/sasl2/smtpd.conf:
# This sets smtpd to authenticate using the saslauthd daemon.
pwcheck_method:saslauthd
# This allows only plain, login, cram-md5 and digest-md5 as the authentication mechanisms.
mech_list: plain login cram-md5 digest-md5

- Installare Postfix
cd /tmp
tar xvfz pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz
tar xvfz postfix-2.0.16.tar.gz
cd postfix-2.0.16
useradd postfix
groupadd postdrop
patch -p1 ../pfixtls-0.8.16-2.0.16-0.9.7b/pfixtls.diff
make makefiles CCARGS="-DHAS_SSL -DUSE_SASL_AUTH -I/usr/local/include/sasl -I/usr/local/ssl/include" AUXLIBS="-L/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -lsasl2 -lssl -lcrypto" (tutto su una riga)
make
make install (lasciate i valori di default)
cp /etc/postfix/aliases /etc/
newaliases
Ora bisogna creare /etc/init.d/postfix:
#!/bin/bash
#
# postfix This script controls the postfix daemon.
#
# description: Postfix MTA
# processname: postfix
case "$1" in
start)
/usr/sbin/postfix start
;;
stop)
/usr/sbin/postfix stop
;;
reload)
/usr/sbin/postfix reload
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
exit 1
esac
exit 0
Ora dobbiamo dare i permessi allo script creato:
chmod 755 /etc/init.d/postfix
Per lanciare postfix al boot dobbiamo eseguire i seguenti comandi:
ln -s /etc/init.d/postfix /etc/rc2.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc3.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc4.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc5.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc0.d/K20postfix
ln -s /etc/init.d/postfix /etc/rc1.d/K20postfix
ln -s /etc/init.d/postfix /etc/rc6.d/K20postfix
Il nostro postfix girerà sotto chroot in var/spool/postfix. Ora dobbiamo copiare alcuni file:
mkdir -p /var/spool/postfix/etc
cd /etc
cp localtime services hosts resolv.conf /var/spool/postfix/etc/
mkdir -p /var/spool/postfix/var/run
mv -f /var/run/saslauthd/ /var/spool/postfix/var/run/
chmod 755 /var/spool/postfix/var/run/saslauthd/
ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd
Ora generiamo i file dei certificati richiesti da TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
Se /usr/bin/openssl esiste:
mv /usr/bin/openssl /usr/bin/openssl_orig
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
- Inserisci una password per smtpd.key
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
- Di nuovo, inserisci una password per smtpd.key
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
- Di nuovo, inserisci una password per smtpd.key
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
- Di nuovo, inserisci una password per smtpd.key
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Modifica /etc/postfix/main.cf per abilitare SMTP-AUTH e TLS:
postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
postconf -e 'inet_interfaces = all'
postconf -e 'alias_maps = hash:/etc/aliases'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
Naturalmente cambiando i parametri in base alle vostre esigenze.

- Configurare SASLauthd
Creare /etc/init.d/saslauthd:
#!/bin/sh -e
NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd
test -f "${DAEMON}" || exit 0
# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
. "${DEFAULTS}"
fi
# If we're not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
exit 0
fi
# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
echo "You need to configure ${DEFAULTS} with mechanisms to be used"
exit 0
fi
# Add our mechanimsms with the necessary flag
for i in ${MECHANISMS}; do
PARAMS="${PARAMS} -a ${i}"
done
# Consider our options
case "${1}" in
start)
echo -n "Starting ${DESC}: "
ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME}
${DAEMON} ${PARAMS}
echo "${NAME}."
;;
stop)
echo -n "Stopping ${DESC}: "
PROCS=`ps aux | grep -iw '/usr/sbin/saslauthd' | grep -v 'grep' |awk '{print $2}' | tr '\n' ' '`
if [ "x${PROCS}" != "x" ]; then
kill -15 ${PROCS} &> /dev/null
fi
echo "${NAME}."
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
echo "${NAME}."
;;
*)
echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0

Ora dobbiamo dare i permessi allo script creato:
chmod 755 /etc/init.d/saslauthd
Per lanciare saslauthdal boot dobbiamo eseguire i seguenti comandi:
ln -s /etc/init.d/saslauthd /etc/rc2.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd
Poi creiamo /etc/default/saslauthd:
# This needs to be uncommented before saslauthd will be run automatically
START=yes
#
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb"
MECHANISMS=shadow
Se saslauthd è posizionato sotto /usr/local/sbin al posto che /usr/sbin crea un link simbolico:
ln -s /usr/local/sbin/saslauthd /usr/sbin/saslauthd
Poi avvia saslauthd e postfix:
/etc/init.d/saslauthd start
/etc/init.d/postfix start

- Testare la configurazione

Per vedere se SMTP-AUTH e TLS funzionano correttamente lanciamo i seguenti comandi:
telnet localhost 25
Dopo aver stabilito la connessione al nostro mail server postfix digitiamo:
ehlo localhost
Se compaiono queste righe:
250-STARTTLS
e
250-AUTH
tutto è configurato correttamente!
Quindi digitiamo
quit
per tornare alla shell di sistema.

Manuel Diamanti