linux:email:postfix:postfix_secure [hackerbruecke.net]

Buch erstellen
Diese Seite zum Buch hinzufügen

Buch erstellen
Diese Seite aus Buch entfernen

Postfix with TLS and SSL (smtps)

Use a portscanner like „nmap“:

station7:/etc/init.d # nmap localhost | grep smtp
25/tcp   open  smtp

→ smtp is only running at port 25!

TLS

Modify the TLS-settings in /etc/postfix/main.cf

#--- SSL/TLS setting ---#
smtpd_client_restrictions= permit_tls_clientcerts, permit_sasl_authenticated
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  permit_tls_clientcerts,
  reject_unauth_destination,
  check_sender_access hash:/etc/postfix/access,
  check_recipient_access hash:/etc/postfix/access,
  permit
smtp_sasl_auth_enable = yes
smtpd_sasl_local_domain= station7
smtp_sasl_password_maps = ldap:/etc/postfix/sasl-auth.cf
smtp_sasl_mechanism_filter = login, digest-md5
smtp_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_sasl_exceptions = 127.0.0.1/8
smtpd_sasl_security_options= noanonymous
smtpd_tls_received_header= yes
smtpd_tls_ask_ccert= yes
smtpd_tls_session_cache_database= sdbm:/etc/postfix/smtpd_scache
#smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_cache
#smtp_tls_loglevel= 0
smtp_tls_loglevel= 7
smtp_tls_note_starttls_offer= yes
#smtpd_use_tls = no
smtpd_use_tls = yes
smtp_use_tls = no
smtpd_tls_auth_only = no
tls_daemon_random_source= dev:/dev/urandom
#--
smtpd_tls_CAfile = /etc/ssl/certs/ca_cert.pem
smtpd_tls_cert_file = /etc/ssl/certs/station7_cert.pem
smtpd_tls_key_file = /etc/ssl/private/station7_key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

SSL for smtp - smtps

Modify / append the SSL-settings in /etc/postfix/master.cf:

# ==========================================================================
# service       type    private unpriv  chroot  wakeup  maxproc command + args
#                       (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtps           inet    n       -       n       -       -       smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
  tlsmgr        unix    -       -       n       1000?   1       tlsmgr

After all the above modifications to the Postfix-configuration, restart postfix and watch carefully the output in /var/log/messages !

Testing

smtps

Use a portscanner like „nmap“:

station7:/etc/init.d # nmap localhost | grep smtp
25/tcp   open  smtp
465/tcp  open  smtps

→ smtp is running at port 25. smtps is running at port 465

smtptest -u root -a root station7.example.com -s
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
S: 220 station7.example.com ESMTP Example Inc. Mailserver
C: EHLO example.com
S: 250-station7.example.com
S: 250-PIPELINING
S: 250-SIZE 30000000
S: 250-VRFY
S: 250-ETRN
S: 250-AUTH LOGIN PLAIN
S: 250-AUTH=LOGIN PLAIN
S: 250 8BITMIME
C: AUTH LOGIN
S: 334 VXNlcm5hbWU6
Please enter your password:
C: Az==v9vA=bD
S: 334 UGFzc3dvcmQ6
C: dnIyMDB4
S: 235 Authentication successful
Authenticated.
Security strength factor: 256

You can additionally watch the output of ssldump:

ssldump -d -i lo -k /etc/ssl/cyrus/private/station7_key.pem port 465

← zurück