Postfix with TLS and SSL (smtps)
Use a portscanner like „nmap“:
station7:/etc/init.d # nmap localhost | grep smtp 25/tcp open smtp
→ smtp is only running at port 25!
TLS
Modify the TLS-settings in /etc/postfix/main.cf
#--- SSL/TLS setting ---#
smtpd_client_restrictions= permit_tls_clientcerts, permit_sasl_authenticated
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
permit_tls_clientcerts,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/access,
check_recipient_access hash:/etc/postfix/access,
permit
smtp_sasl_auth_enable = yes
smtpd_sasl_local_domain= station7
smtp_sasl_password_maps = ldap:/etc/postfix/sasl-auth.cf
smtp_sasl_mechanism_filter = login, digest-md5
smtp_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_sasl_exceptions = 127.0.0.1/8
smtpd_sasl_security_options= noanonymous
smtpd_tls_received_header= yes
smtpd_tls_ask_ccert= yes
smtpd_tls_session_cache_database= sdbm:/etc/postfix/smtpd_scache
#smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_cache
#smtp_tls_loglevel= 0
smtp_tls_loglevel= 7
smtp_tls_note_starttls_offer= yes
#smtpd_use_tls = no
smtpd_use_tls = yes
smtp_use_tls = no
smtpd_tls_auth_only = no
tls_daemon_random_source= dev:/dev/urandom
#--
smtpd_tls_CAfile = /etc/ssl/certs/ca_cert.pem
smtpd_tls_cert_file = /etc/ssl/certs/station7_cert.pem
smtpd_tls_key_file = /etc/ssl/private/station7_key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
SSL for smtp - smtps
Modify / append the SSL-settings in /etc/postfix/master.cf:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
tlsmgr unix - - n 1000? 1 tlsmgr
After all the above modifications to the Postfix-configuration, restart postfix and watch carefully the output in /var/log/messages !
Testing
smtps
Use a portscanner like „nmap“:
station7:/etc/init.d # nmap localhost | grep smtp 25/tcp open smtp 465/tcp open smtps
→ smtp is running at port 25. smtps is running at port 465
smtptest -u root -a root station7.example.com -s verify error:num=20:unable to get local issuer certificate verify error:num=21:unable to verify the first certificate TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) S: 220 station7.example.com ESMTP Example Inc. Mailserver C: EHLO example.com S: 250-station7.example.com S: 250-PIPELINING S: 250-SIZE 30000000 S: 250-VRFY S: 250-ETRN S: 250-AUTH LOGIN PLAIN S: 250-AUTH=LOGIN PLAIN S: 250 8BITMIME C: AUTH LOGIN S: 334 VXNlcm5hbWU6 Please enter your password: C: Az==v9vA=bD S: 334 UGFzc3dvcmQ6 C: dnIyMDB4 S: 235 Authentication successful Authenticated. Security strength factor: 256
You can additionally watch the output of ssldump:
ssldump -d -i lo -k /etc/ssl/cyrus/private/station7_key.pem port 465
← zurück