Recipe 20.9. Setting Up smtp-auth to Authenticate Users
| < Day Day Up > |
20.9.1 ProblemYou want your users, especially remote users, to have to authenticate themselves to your Postfix server to prevent unauthorized relaying. 20.9.2 SolutionYou'll need four things:
See Recipe 20.7 if you have not installed Cyrus-SASL. When SASL is installed and working, the next step is to generate an SSL server certificate. Find and enter the /ssl/misc directory: # cd /usr/lib/ssl/misc # ls CA.pl c_info c_name der_chop CA.sh c_hash c_issuer demoCA The script that generates the keys is CA.pl (or, you might see CA.sh, which is a wrapper for CA.pl that adds a little extra functionality). Choose one and make a backup copy: # cp CA.sh CA.sh-oldEdit the script, adding the -nodes flag everywhere there is a $REQ line: -newcert) # create a certificate $REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS ... -newreq) # create a certificate request $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS RET=$? ... else echo "Making CA certificate ..." $REQ -new -nodes -x509 -keyout ${CATOP}/private/$CAKEY \ -out ${CATOP}/$CACERT $DAYSThis eliminates the creation of a passphrase. You may not want to have to enter a passphrase every time the server restarts, or have an unattended reboot stall because it's waiting for a passphrase. You may skip this step and use a passphrase; obviously, using a passphrase increases security. Now generate your new certificate: # ./CA.sh -newca # ./CA.sh -newreq # ./CA.sh -sign The result, after much output, is newreq.pem, newcert.pem, and demoCA/cacert.pem. Copy these to /etc/postfix: # cp newcert.pem /etc/postfix/ # cp newreq.pem /etc/postfix/ # cp demoCA/cacert.pem /etc/postfix/ Next, add these lines to /etc/postfix/main.cf: smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/newreq.pem smtpd_tls_cert_file = /etc/postfix/newcert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom Activate the changes: # postfix reloadand test the server: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 windbag.test.net ESMTP Postfix (Libranet/GNU) EHLO windbag.test.net 250-windbag.test.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-XVERP 250 8BITMIME STARTTLS S: 220 Ready to start TLS Now configure your user's mail clients, and you're done. Most mail clients can be configured to store the login and password, so all your users need to do is click the send button. 20.9.3 DiscussionPostfix installations are pretty consistent across the various package formats and Linux distributions, but it's still a good idea to verify all the filepaths in /etc/postfix/main.cf. 20.9.4 See Also
|
| < Day Day Up > |
