Postfix Mail System- Step by Step Guide

Part 7:  Enhance Postfix Mail Server Security by implementing SMTP Authentication using Dovecot SASL

In our Part1-Part6 series, we are elaborating the detail steps to setup a email system for any organization that require a complex solutions such as support multiple domains and virtual users. In following few chapters, we will share with you how to tighten your Postfix mail security system.

Before we begin, let us explain why we need SMTP authentication using SASL (Simple Authentication and Security Layer).

Q: "What is SASL?"

SASL is a access control mechanism that authenticating users using their username and password for Postfix Mail. It provides additional security protection to allow only legitimate users to relay mail thru our mail server.

Q: "How Postfix Mail default security work?"

A:  By default, Postfix's  mail relay control is only rely on IP address ACL. Under /etc/postfix/main.cf there is a   $mynetworks parameter used by Postfix to control  mail  relay through your mail server.  Thus, the IP address the value we entered earlier mynetworks = 192.168.139.0/24, 127.0.0.0/8 is to tell Postfix only allow the range of 192.168.139.0 and localhost to relay and sent email using our mail services. However, no other authentication method performed by Postfix.

Q: "Is it  necessary for me to enhance the Postfix mail security, can I just use default Postfix security mechanism?

Few year ago, if your mail server only allow relay for the IP at the same network, or only allow localhost to sent email then it is unlikely that you need to implement SASL or SMTP AUTH. However, from my experience, implementing SMTP AUTH is minimal mail security you should do. WHY? one of my client's mail server was sending thousands of email per minutes, due to worm infections. Implementing SMTP AUTH will not necessary solve the issue, but at least, those infected PC (no mail client installed) will not pass our mail server.  

Moreover,  if your organization has mobile users , we need a mechanism to authenticate them as trusted users so that they are able to send mail through the mail server.

Configuring SASL in postfix

Since we are already running dovecot we are using dovecot's SASL support for Postfix rather than the SASL provided by the Cyrus SASL library.

Step 1: Add SASL for Postfix

To enable Postfix to use SASL add it at the bottom of the file if the key (the word before the = sign) cannot be found.

 

#vim /etc/postfix/main.cf

Add the following lines to bottom of file. Please make sure that the correct format is parameter = value, and NOT parameter= value

 

smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes

Configuring SASL in dovecot

Next, we need to configure auth default in the authentication processes section of dovecot.

Warning: Becareful as this section is heavily commented, make a backup copy, just in case...

Step1: Backup Dovecot config file

 

#cp /etc/dovecot.conf /etc/dovecot.conf.bck.29May2010

Step2: Add SASL Support for Dovcot

Next, let us edit the lines in /etc/dovecot.conf

# vim /etc/dovecot.conf

Add in the following lines at the bottom of the under auth_default. My auth default is under line 758

758 auth default { 762 mechanisms = plain login 979 socket listen { 990 client { 994 path = /var/spool/postfix/private/auth 995 mode = 0660 996 user = postfix  <--add in this line 997 group = postfix <--add in this line 998 } 999 } 1000 }

Restart Dovecot and Postfix

Ok, let us restart both services

 

#service dovecot restart

 

#service postfix restart

Verification on SASL on Dovecot and Postfix

Remember that in pervious chapter we add separate log for our Dovecot services?

Here is our setting in /etc/dovecot.conf

#cat /etc/dovecot.conf | grep log_path log_path = /var/log/dovecot.log

Let us check if the auth-worker is running perfectly.

# cat /var/log/dovecot.log dovecot: Apr 08 18:11:43 Info: Dovecot v1.0.7 starting up dovecot: Apr 08 18:11:44 Info: auth-worker(default): mysql: Connected to localhost (postfix)

Next  let us check if the /var/spool/postfix/private/auth is created. The example below shows that auth is created.

#ls -l  /var/spool/postfix/private/auth srw-rw---- 1 postfix postfix 0 Apr 8 18:11 /var/spool/postfix/private/auth

Finally, let us run a quick test if our mail server now accept SMTP AUTH.

#telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 centos.example.local ESMTP Postfix ehlo server 250-centos.example.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN 250-AUTH=PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN

Testing SASL SMTP AUTH on Postfix

Great, let us proceed now with SMTP AUTH using telnet.

First, let us encode our password to base64 based value that will be used for "auth plain" later.

Command Syntax:

perl -MMIME::Base64 -e 'print encode_base64("\000username\@domain.com\000password");'

 

#perl -MMIME::Base64 -e 'print encode_base64("\000alex\@abc.local\000alex");' AGFsZXhAYWJjLmxvY2FsAGFsZXg=

Test1:

Let us use alex@abc.local to sent an email yasmin@xyz.local. 

 

#telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 centos.example.local ESMTP Postfix ehlo server 250-centos.example.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN 250-AUTH=PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:<alex@abc.local> 250 2.1.0 Ok rcpt to:<yasmin@xyz.local> 250 2.1.5 Ok auth plain AGFsZXhAYWJjLmxvY2FsAGFsZXg=  <--- encoded password here 235 2.0.0 Authentication successful data 354 End data with <CR><LF>.<CR><LF> this is a smtp auth test send from alex to yasmin . 250 2.0.0 Ok: queued as CC9414A80A2 quit 221 2.0.0 Bye Connection closed by foreign host.

 

#cat /home/vmail/xyz.local/yasmin/Maildir/new/1270724227.Vfd00I20063M461898.centos.example.local   Return-Path: <alex@abc.local> X-Original-To: yasmin@xyz.local Delivered-To: yasmin@xyz.local Received: from server (centos.example.local [127.0.0.1]) by centos.example.local (Postfix) with ESMTP id CC9414A80A2 for <yasmin@xyz.local>; Thu, 8 Apr 2010 18:44:02 +0800 (MYT) Message-Id: <20100408104416.CC9414A80A2@centos.example.local> Date: Thu, 8 Apr 2010 18:44:02 +0800 (MYT) From: alex@abc.local To: undisclosed-recipients:; this is a smtp auth test send from alex to yasmin

Test 2

Great it work with abc.local domain. Let us see if it works with multiple domain and users.

 

# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 centos.example.local ESMTP Postfix mail from:<yasmin@xyz.local> 250 2.1.0 Ok auth plain AHlhc21pbkB4eXoubG9jYWwAeWFzbWlu 235 2.0.0 Authentication successful rcpt to:<alex@abc.local> 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> yasmin test from auth . 250 2.0.0 Ok: queued as 646504A80A2 quit 221 2.0.0 Bye Connection closed by foreign host.

Verify the email send by Yasmin.

#cat /home/vmail/abc.local/alex/Maildir/new/1270724416.Vfd00I20067M617655.centos.example.local Return-Path: <yasmin@xyz.local> X-Original-To: alex@abc.local Delivered-To: alex@abc.local Received: from centos.example.local (centos.example.local [127.0.0.1]) by centos.example.local (Postfix) with SMTP id 646504A80A2 for <alex@abc.local>; Thu, 8 Apr 2010 18:59:26 +0800 (MYT) Message-Id: <20100408105952.646504A80A2@centos.example.local> Date: Thu, 8 Apr 2010 18:59:26 +0800 (MYT) From: yasmin@xyz.local To: undisclosed-recipients:; yasmin test from auth

Back to Step by Step Guide on CentOS Linux Postfix Mail Server

Copyright 2011 http://www.1a-centosserver.com All Rights Reserved

All trademarks are the property of their respective owners.

Contact Us | Terms of Use | Privacy Policy