Securely Relaying Mail
with Postfix
Introduction
Postfix's default action for relaying mail is to allow the local system (localhost) and the local area network to relay mail through it's SMTP server. While this is relatively secure, it does not allow clients to send their mail through the server's SMTP server while off the network.
The simple (unsecure) way to fix this problem, would be to simply allow any network to relay mail through the SMTP server. This my friend, is a spammers dream SMTP server. Open relaying allows anyone to connect to your SMTP server and send an email from any location to any location.
Unfortunately, most Internet Service Providers and uninformed system admin's install Postfix and think the tinkering has ended, which inevitably allows spammers to use their server for bulk mailing of their fake products.
I will attempt to explain to you, in the simplest way possible, of setting up SMTP-AUTH, which will only allow authorized users to send mail through the SMTP server, denying all others. This will end the open relaying issue.
Getting Started
Assuming you already have Postfix installed, we will begin by installing SASL:
We need to edit SASL's configuration file so it can start properly, and set a few other options in it.Code:sudo apt-get install libsasl2-2 sasl2-bin
You should see "START=no" at the top of the file. Change this to "START=yes". Add the following lines after your START variable:Code:sudo vim /etc/default/saslauthd
Set the OPTIONS variable to read:Code:PWDIR="/var/spool/postfix/var/run/saslauthd" PARAMS="-m ${PWDIR}" PIDFILE="${PWDIR}/saslauthd.pid"
In the end, your edits should look as follows:Code:OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Now we should reconfigure SASL to change it's root directory and place it in Postfix's chroot:Code:START=yes PWDIR="/var/spool/postfix/var/run/saslauthd" PARAMS="-m ${PWDIR}" PIDFILE="${PWDIR}/saslauthd.pid" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Start SASL:Code:sudo dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
Code:sudo /etc/init.d/saslauthd start
Editing Postfix
Now that you have SASL all setup, let's configure Postfix to use SASL.
(This step may not be required, as I went back and saw that I did not have to do it. Please check this step before continuing.)
If this directory exists, contains a file called "smtpd.conf" and the file contents are:Code:cd /etc/postfix/sasl/
Then you are good to go. Otherwise, please follow these steps:Code:pwcheck_method: saslauthd mech_list: plain login
And put the contents in this file that you see in the previous codeblock.Code:cd /etc/postfix/ sudo mkdir sasl cd sasl/ sudo vim smtpd.conf
Next, we need to add some settings to Postfix's main.cf file by the usage of the postconf command!
Now we will begin generating our SSL keys and certificate. You will be prompted by openssl for details about your domain, state, email, organization name, etc. Here is a little hint as to what you should enter when prompted:Code:sudo -i postconf -e 'smtpd_tls_auth_only = yes' postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom' mkdir /etc/postfix/ssl cd /etc/postfix/ssl
Start generating those keys!Code:commonName = mycroftserver.homelinux.org stateOrProvinceName = Colorado countryName = US emailAddress = myemail@mysubdomain.domain.com organizationName = Mycroft Server organizationalUnitName = The Private Server of Dr Small
Now we can restart Postfix:Code:openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Code:/etc/init.d/postfix restart exit
Verifying
Let's check with telnet, to see if everything went as planned:
The server should greet you, similar to this:Code:telnet localhost 25
Now type:Code:Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mycroftserver.homelinux.org ESMTP Postfix (Ubuntu)
The server should reply. Look for:Code:EHLO localhost<return>
If it is listed there, then everything is working as planned. Now from an email client off the network (or connecting to your WAN IP), setup the SMTP server and use Authentication and encryption. Verify that emails send.Code:250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN
Now we will try it from a spammers level:
Now we'll see if relaying is actually denied:Code:telnet yourwanip 25
The server should then return:Code:HELO server<return> MAIL FROM: spammer@spamcity.net<return> RCPT TO: user@server1.net<return>
Congratulations, Postfix is now securely setup for relayingCode:554 5.7.1 <user@server1.net>: Relay access denied
PS: If I have made any mistakes anywhere, please correct me and I will fix it.
External Links
Ubuntu Help: Postfix
Open Relay Testing
Adv Reply
Originally Posted by MJN
Bookmarks