Postfix con SMTP-AUTH y TLS
Para instalar Postfix con SMTP-AUTH y TLS seguimos los siguientes pasos:
apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail
Deberás contestar a las siguientes preguntas:
General type of mail configuration: <— Sitio de Internet
Nombre del sistema de correo: <— ushuaia.patagonia.es
Y ejecuta:
dpkg-reconfigure postfix
Y de nuevo, se te harán algunas preguntas:
Tipo genérico de configuración de correo: <— Sitio de Internet
System mail name: <— ushuaia.patagonia.es
Recipiente de correo para el superusuario y «postmaster»: <— [en blanco]
Otros destinos para los cuales aceptar correo (en blanco para ninguno): <— ushuaia, patagonia.es, ushuaia.patagonia.es, localhost.patagonia.es, localhost.localdomain, localhost
Forzar actualizaciones síncronas en la cola de correo? <— No
Redes locales: <— 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, 192.168.1.0/24
Usar procmail para la entrega local? <— Yes
Límite de tamaño de buzón de correo (en bytes):: <— 0
Caracter de extensión de direcciones locales: <— +
Protocolos de Internet a usar: <— todos
A continuación hacemos lo siguiente:
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Seguidamente, creamos los certificados para el TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
A continuación, configuramos Postfix para TLS:
postconf -e 'myhostname = ushuaia.patagonia.es'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
El fichero /etc/postfix/main.cf debería parecerse a este:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = ushuaia.patagonia.es
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = ushuaia, patagonia.es, ushuaia.patagonia.es, localhost.patagonia
.es, , localhost, localhost.localdomain
relayhost = [smtp.gmail.com]:587
smtp_connection_cache_destinations=smtp.gmail.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128,192.168.1.0/24
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options=noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls=yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,rejec
t_unauth_destination
ushuaia = ushuaia.patagonia.es
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
La autenticación será hecha por saslauthd. Tenemos que cambiar unas pocas cosas para hacerla funcionar correctamente. Debido a que Postfix se ejecuta como chroot en /var/spool/postfix, tenemos que hacer lo siguiente:
mkdir -p /var/spool/postfix/var/run/saslauthd
Ahora tenemos que editar /etc/default/saslauthd para activar saslauthd. Pon START a yes y cambia la linea OPTIONS="-c -m /var/run/saslauthd" a // OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"//:
El fichero /etc/default/saslauthd debería tener lo siguiente:
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
A continuación, añade el usuario postfix al grupo sasl (esto asegura que Prostfix tiene permiso para acceder a saslauthd):
adduser postfix sasl
Ahora reiniciamos postfix y saslauthd:
/etc/init.d/postfix restart
/etc/init.d/saslauthd start
Para ver si SMTP-AUTH y TLS trabajan correctamente, ejecutar el siguiente comando:
telnet localhost 25
Depués de haber establecido la conexión con el servidor de correo Postfix, escribir:
ehlo localhost
Si vemos lo siguiente:
20 ushuaia.patagonia.es ESMTP Postfix (Ubuntu)
ehlo localhost
250-ushuaia.patagonia.es
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Todo funciona correctamente. Podemos retornar al shell con quit.
Relaying Postfix SMTP via GMAIL
Instalación de paquetes
Nos aseguramos que está todo instalado con lo siguiente:
sudo aptitude install postfix libsasl2 ca-certificate
Configuración de Postfix
Vemos que el fichero etc/postfix/main.cf tiene las siguientes líneas:
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
Definición de usuario y contraseña
Creamos el fichero /etc/postfix/sasl_passwd con el siguiente contenido:
[smtp.gmail.com]:587 user.name@gmail.com:password
Ahora restringimos el acceso a este fichero:
sudo chmod 400 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
En este punto podemos reiniciar Postfix y debería trabajar, pero no se autenticaría. Debemos añadir el fichero de certificado de la CA. Usaremos el paquete ca-certificate que instalamos y le diremos donde puede validar el certificado.
cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem
Ya podemos reiniciar postfix:
/etc/init.d/postfix reload
Referencias
http://www.howtoforge.com/perfect-server-ubuntu-8.10-p5
http://ubuntu-tutorials.com/2008/11/11/relaying-postfix-smtp-via-smtpgmailcom/
http://bulmalug.net/body.phtml?nIdNoticia=2233&nIdPage=last#35312
