April 09, 2004

Postfix-SMTP-AUTH-TLS-Howto

http://www.projektfarm.com/en/support/howto/postfix_smtp_auth_tls.html
大部分的分件都沒有提到 TLS 需要 patch, 這篇文章寫得滿仔細的

以下是整理過的步驟

取得檔案( 原文中有些 URL 已無效)
wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.18.tar.gz
wget ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix/postfix-2.0.18.tar.gz
wget ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.16-2.0.18-0.9.7c.tar.gz

解壓檔案
tar zxf openssl-0.9.7c.tar.gz
tar zxf cyrus-sasl-2.1.18.tar.gz
tar zxf postfix-2.0.18.tar.gz
tar zxf pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz

編譯 openssl
cd openssl-0.9.7c
./config
make
make install

編譯 cyrus-sasl-2
cd ../cyrus-sasl-2.1.18
./configure --enable-anon --enable-plain --enable-login --with-saslauthd=/var/run/saslauthd --with-pam --with-openssl=/usr/local/ssl --with-plugindir=/usr/local/lib/sasl2 --enable-cram --enable-digest
make
make install

[ -d /usr/lib/sasl2 ] && mv /usr/lib/sasl2 /usr/lib/sasl2_orig
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
printf "pwcheck_method:saslauthd\nmech_list: plain login digest-md5\n" > /usr/local/lib/sasl2/smtpd.conf

編譯 postfix (含 tls patch)
cd ../postfix-2.0.18
useradd postfix
groupadd postdrop
patch -p1 < ../pfixtls-0.8.16-2.0.18-0.9.7c/pfixtls.diff
make makefiles CCARGS="-DHAS_SSL -DUSE_SASL_AUTH -I/usr/local/include/sasl -I/usr/local/ssl/include" AUXLIBS="-L/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -lsasl2 -lssl -lcrypto"
make
make install
cp /etc/postfix/aliases /etc/
newaliases
mkdir -p /var/spool/postfix/etc
cd /etc
cp localtime services hosts resolv.conf /var/spool/postfix/etc
mkdir -p /var/spool/postfix/var/run/saslauthd
chmod 755 /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

產生 certificate files for TLS
cd /etc/postfix
openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

編輯 /etc/postfix/main.cf 加入下列
# SASL
smtpd_sasl_auth_enable=yes
smtpd_recipient_restrictions=permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_security_options=noanonymous
broken_sasl_auth_clients=yes
# TLS
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

啟動 postfix 及 saslauthd
postfix start
saslauthd -a shadow

測試
telnet localhost 25

220 pank.idv.tw ESMTP Postfix
ehlo 0
250-pank.idv.tw
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5
250-XVERP
250 8BITMIME

看起來正常, 再測試認證, 使用者名稱 pank, 密碼 test
取得編碼後字串 printf 'pank\0pank\0test' | mmencode
得到 cGFuawBwYW5rAHRlc3Q=
(使用這個方法測試時, 用數字 0-7 開頭的密碼會認證錯誤, 原因不明.
而事實上, 使用上述密碼在 smtp auth 上是沒問題的)

telnet localhost 25

220 pank.idv.tw ESMTP Postfix
ehlo 0
250-pank.idv.tw
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5
250-XVERP
250 8BITMIME
auth plain cGFuawBwYW5rAHRlc3Q=
235 Authentication successful

已正常運作

若是 failed, 就看 log 查原因

ref. Postfix/TLS - A TLS extension for POSTFIX

Posted by pank at April 9, 2004 02:52 PM
Comments
Post a comment













Remember personal info?