Personal tools
You are here: Home Hobbies Computers FreeBSD Jail: Postfix w/SASL2 & TLS
Affiliate Links

 

Smarthome, Inc.

 

OneCall: Your Home Theater, Digital Camera, and HDTV Experts

 

 

J&R_120x60

 

Camping World
 

Jail: Postfix w/SASL2 & TLS

Preface

This guide has been assembled from multiple web sites. It's assumed you've already preformed the installation of FreeBSD 6 and created a working jail (ie; EZJail).

Please be aware this guide is a direct start to finish and all steps must be completed before everything works properly.

Installation

This installation and configuration is not as simple as the other tip sheets offered here, please pay close attention and double check everything!

Install the Postfix port adding support for SASL2 and TLS during the config:

mail# cd /usr/ports/mail/postfix
mail# make clean
mail# make config    [enable the SASL2 and TLS options]
mail# make install
mail# make clean

Install the saslauthd port:

mail# cd /usr/ports/security/cyrus-sasl2-saslauthd
mail# make clean
mail# make install
mail# make clean

Configuration

The first step of the configuration will be to enable the packages we've just installed and disable sendmail in the /etc/rc.conf:

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

postfix_enable="YES"

saslauthd_enable="YES"
saslauthd_flags="-a getpwent"

Next remove the standard sendmail daily maintenance routines in /etc/periodic.conf:

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

Configure Postfix for our domain (replace kingsquarry.net w/your domain) in /usr/local/etc/postfix/main.cf addressing three different topics at once:

  1. Change the normal Postfix configuration parameters to enable our mail server:
    2. myhostname = mail.kingsquarry.net
    mydomain = kingsquarry.net
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
    #mynetworks_style = host
    mynetworks = 192.168.1.0/24
    relay_domains = $mydestination
    relayhost = 1.2.3.4
    alias_database = hash:/etc/aliases
    home_mailbox = Maildir/
  2. Add the SASL configuration parameters at the bottom of the file:
    3. #
    # SASL CONFIG
    #
    enable_sasl_authentication = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain =
    smtpd_sender_restrictions=
            permit_sasl_authenticated,
            permit_mynetworks
    smtpd_recipient_restrictions=
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_unauth_destination
  3. Add the TLS configuration parameters at the bottom of the file:
    4. #
    # TLS config
    #
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtpd_tls_auth_only = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /usr/local/etc/postfix/ssl/smtpd.pem
    smtpd_tls_cert_file = /usr/local/etc/postfix/ssl/smtpd.pem
    smtpd_tls_CAfile = /usr/local/etc/postfix/ssl/smtpd.pem
    smtpd_tls_loglevel = 3
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom

SASL2 Configuration

Create a configuration file SASL2 in the /usr/local/lib/sasl2 directory called smtpd.conf with the following:

pwcheck_method: saslauthd
mech_list: plain login

TLS Certificate Creation

Create the directory to hold the configuration file and certificates:

mail# mkdir /usr/local/etc/postfix/ssl
mail# chmod 700 /usr/local/etc/postfix/ssl
mail# cd /usr/local/etc/postfix/ssl

Create a configuration file for use with OpenSSL called pftls.conf:

RANDFILE = /usr/local/etc/postfix/ssl/post.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=US
ST=North Carolina
L=Huntersville
O=KingsQuarry
OU=mail
CN=mail.kingsquarry.net
emailAddress=emailAddress

[ cert_type ]
nsCertType = server
Generate the certificate:
mail# dd if=/dev/urandom of=/usr/local/etc/postfix/ssl/post.rand count=1
mail# /usr/bin/openssl req -new -x509 -days 365 -nodes \
	-config /usr/local/etc/postfix/ssl/pftls.conf -out /usr/local/etc/postfix/ssl/smtpd.pem \
	-keyout  /usr/local/etc/postfix/ssl/smtpd.pem
mail# /usr/bin/openssl gendh -rand /usr/local/etc/postfix/ssl/post.rand 512  \
	>>/usr/local/etc/postfix/ssl/smtpd.pem 
mail# /usr/bin/openssl x509 -subject -dates -fingerprint -noout -in \ 
	/usr/local/etc/postfix/ssl/smtpd.pem

Start

Use the following two commands to start Postfix and SASL:

mail# postfix start
mail# /usr/local/etc/rc.d/saslauthd start

Related content
Document Actions
« January 2009 »
January
SunMonTueWedThuFriSat
123
45678910
11121314151617
18192021222324
25262728293031