Securely Relaying Mail
with Postfix
Introduction
Postfix's default action for relaying mail is to allow the local system (localhost) and the local area network to relay mail through it's SMTP server. While this is relatively secure, it does not allow clients to send their mail through the server's SMTP server while off the network.
The simple (unsecure) way to fix this problem, would be to simply allow any network to relay mail through the SMTP server. This my friend, is a spammers dream SMTP server. Open relaying allows anyone to connect to your SMTP server and send an email from any location to any location.
Unfortunately, most Internet Service Providers and uninformed system admin's install Postfix and think the tinkering has ended, which inevitably allows spammers to use their server for bulk mailing of their fake products.
I will attempt to explain to you, in the simplest way possible, of setting up SMTP-AUTH, which will only allow authorized users to send mail through the SMTP server, denying all others. This will end the open relaying issue.
Getting Started
Assuming you already have Postfix installed, we will begin by installing SASL:
Code:
sudo apt-get install libsasl2-2 sasl2-bin
We need to edit SASL's configuration file so it can start properly, and set a few other options in it.
Code:
sudo vim /etc/default/saslauthd
You should see "START=no" at the top of the file. Change this to "START=yes". Add the following lines after your START variable:
Code:
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
Set the OPTIONS variable to read:
Code:
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
In the end, your edits should look as follows:
Code:
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Now we should reconfigure SASL to change it's root directory and place it in Postfix's chroot:
Code:
sudo dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
Start SASL:
Code:
sudo /etc/init.d/saslauthd start
Editing Postfix
Now that you have SASL all setup, let's configure Postfix to use SASL.
(This step may not be required, as I went back and saw that I did not have to do it. Please check this step before continuing.)
Code:
cd /etc/postfix/sasl/
If this directory exists, contains a file called "smtpd.conf" and the file contents are:
Code:
pwcheck_method: saslauthd
mech_list: plain login
Then you are good to go. Otherwise, please follow these steps:
Code:
cd /etc/postfix/
sudo mkdir sasl
cd sasl/
sudo vim smtpd.conf
And put the contents in this file that you see in the previous codeblock.
Next, we need to add some settings to Postfix's main.cf file by the usage of the postconf command!
Code:
sudo -i
postconf -e 'smtpd_tls_auth_only = yes'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl
Now we will begin generating our SSL keys and certificate. You will be prompted by openssl for details about your domain, state, email, organization name, etc. Here is a little hint as to what you should enter when prompted:
Code:
commonName = mycroftserver.homelinux.org
stateOrProvinceName = Colorado
countryName = US
emailAddress = myemail@mysubdomain.domain.com
organizationName = Mycroft Server
organizationalUnitName = The Private Server of Dr Small
Start generating those keys!
Code:
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Now we can restart Postfix:
Code:
/etc/init.d/postfix restart
exit
Verifying
Let's check with telnet, to see if everything went as planned:
Code:
telnet localhost 25
The server should greet you, similar to this:
Code:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mycroftserver.homelinux.org ESMTP Postfix (Ubuntu)
Now type:
Code:
EHLO localhost<return>
The server should reply. Look for:
Code:
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
If it is listed there, then everything is working as planned. Now from an email client off the network (or connecting to your WAN IP), setup the SMTP server and use Authentication and encryption. Verify that emails send.
Now we will try it from a spammers level:
Code:
telnet yourwanip 25
Now we'll see if relaying is actually denied:
Code:
HELO server<return>
MAIL FROM: spammer@spamcity.net<return>
RCPT TO: user@server1.net<return>
The server should then return:
Code:
554 5.7.1 <user@server1.net>: Relay access denied
Congratulations, Postfix is now securely setup for relaying
PS: If I have made any mistakes anywhere, please correct me and I will fix it.
External Links
Ubuntu Help: Postfix
Open Relay Testing
Bookmarks