SMTP Authentication And Encryption help

marciano · May 24, 2009, 12:11am

Hello,
I was reading some posts here but I am still confused.
I’m not strog on this issues.
I have a dedicated server (Fedora8) with a few virtual hosts.
I need to secure Postfix-SMTP, Enable TLS encryption to prevent spam sendings from eventual hijackers.
The only certificate I have installed is one created by me with Webmin module to access cp via https.
I need some basic data on how to start on this, which kind of certificate I need, if it would be enough the free one from startssl.com
Thanks a lot in advance.

PS: from startssl.com I have ssl.key(decripted) ssl.crt and ssl.csr<br><br>Post edited by: marciano, at: 2009/05/24 04:53

Eric · May 24, 2009, 9:47am

Howdy,

Well, there is a self-signed certificate installed and setup for you by default within Postfix.

To start using it, you only need enable SMTPS and Submission in Postfix (which use ports 465 and 587).

To do that, you can uncomment the lines described here:

http://www.virtualmin.com/forums/help-home-for-newbies/re:authentication-issue-with-smtp.html#22395

When you restart Postfix, you can than configure your email client to use a secure connection with your outgoing SMTP.

If you ever opt to buy a commercial SSL certificate. you can always use that in place of the existing self-signed cert.
-Eric

marciano · May 24, 2009, 10:07am

Hello Eric, thanks for your reply.
At the same time you were posting it I was editing my first one.
Would it be better to use those files from startssl.com than those already installed?
Thank you

marciano · May 24, 2009, 10:10am

(I couldn’t edit last post -> Oops! You’ve hit a bug in the forum software. We already know about the problem. Apologies for the inconvenience.)

So I have to open those port for outbound in my afp firewall…

marciano · May 24, 2009, 10:15am

EG_TCP_CPORTS="21,25,80,443,43,465,587"
UDP too?

Eric · May 26, 2009, 12:52am

No, they’re only TCP ports.

I’m not really familiar with startssl certificates. If it’s free, then no, there wouldn’t really be an advantage to that over what’s already available in Postfix.
-Eric

Joe · May 26, 2009, 3:16am

Actually, it looks like they are accepted by browsers. I assume they are chained certificates, similar to the ones GoDaddy and others sell for ten to twenty bucks per year. I dunno. Research would be needed. But they look like actual certificates with real browser support.

marciano · May 26, 2009, 4:34pm

… and inbound
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,10000,20000,30000_32000,465,587"

I also have added these lines to master.cf

submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

As I understand this is a secure way to send mail from client. Isn’t it?
Actually I want to prevent any stranger script to send bulk mail using mail() from a php script or something similar.
Anyway, after performing those changes in master.cf and conf.apf (restarted both)
I’ve set my client SMTP server (Thunderbird mail) to SSL and port 465. Then I get:
The server is refusing SMTP connections
Returning to ‘TLS if available’ sendings go well.
Thank you both Joe and Eric

Eric · May 26, 2009, 7:22pm

So you said you restarted Postfix after making those changes to the master.cf file?

If you log in over SSH, and type "netstat -an | grep :465" – do you get any output?

Enabling the above allows remote clients to securely connect to your server, over both an authenticated and encrypted connection, to send email.
-Eric

marciano · May 26, 2009, 8:29pm

Eric,

Yes, Postfix has been restarted. From the maillog I also got this:
daemon started – version 2.5.5, configuration /etc/postfix
May 26 17:16:55 postfix/qmgr[15645]: warning: bounce_queue_lifetime is larger than maximal_queue_lifetime - adjusting bounce_queue_lifetime

tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN

Eric · May 26, 2009, 9:22pm

Can you verify that port 465 is visible externally?

You can try telnet’ing into that port from another system, for example.
-Eric

marciano · May 27, 2009, 2:53pm

There’s a problem here.
From local
% telnet localhost 465
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
Connection closed by foreign host.

From outside is the same changing localhost by domain.com
Thank you

Eric · May 27, 2009, 2:54pm

Yup, that shouldn’t disconnect.

So what shows up in the email log whenever you try connecting like that?
-Eric

marciano · May 27, 2009, 3:04pm

warning: No server certs available. TLS won’t be enabled
May 27 16:02:58 postfix/smtpd[4117]: connect from unknown[]
May 27 19:02:58 postfix/smtpd[4117]: warning: Wrapper-mode request dropped from unknown[] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.
May 27 19:02:58 postfix/smtpd[4117]: disconnect from unknown[***]

Eric · May 27, 2009, 6:20pm

It sounds like your Postfix main.cf file may be awry.

You may want to look in there and make sure that the SSL/TLS goodies are setup correctly.

That’s normally done for you when installing Virtualmin with the install.sh – if you installed manually, then those may not be setup yet.

If you aren’t certain what’s wrong, you could always post your /etc/postfix/main.cf file.
-Eric

marciano · May 27, 2009, 8:36pm

Eric,
This file has been modified a few times but I don’t remember if it went from Virtualmin installation.
Thank you.

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.5/samples
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES

virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail

#mailbox_command = /usr/bin/procmail -t /etc/procmailrc
#mailbox_command = procmail-wrapper -o -a $DOMAIN -d $LOGNAME
#mailbox_command = procmail -a "$EXTENSION"
#mailbox_command = procmail -t /etc/procmailrc
ipc_idle = 10s
notify_classes = resource, software
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname

#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#relayhost = [mail.***.com]

######### from http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html
queue_directory = /var/spool/postfix
mail_owner = postfix
data_directory = /var/lib/postfix

#added March 6, 2009
#inet_interfaces = localhost
#inet_protocols = all
proxywrite_service_name = proxywrite
maximal_queue_lifetime = 2d

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Eric · May 27, 2009, 9:42pm

Oh, and before I tear into your config too much, are you running saslauthd?

If not, you need to have that up and running:

/etc/init.d/saslauthd start

marciano · May 27, 2009, 9:55pm

You were right, it was not running.
Anyway still errors sending mails in SSL (465)

May 27 22:50:35 postfix/smtpd[686]: warning: No server certs available. TLS won’t be enabled
May 27 22:50:35 postfix/smtpd[686]: connect from unknown[]
May 28 01:50:35 postfix/smtpd[686]: warning: Wrapper-mode request dropped from unknown[] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.

marciano · May 28, 2009, 11:55am

Ah, that went okay. Thanks!

I am looking both received test mail headers sent with and w/o ssl
The noticeable thing was that mail sent with cert does not content spamassassin filtering headers like the other sent without cert.
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
cl-t102-130cl.privatedns.com
X-Spam-Level:
X-Spam-Status: No, score=-104.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
HTML_MESSAGE,MIME_HTML_MOSTLY,USER_IN_WHITELIST autolearn=ham version=3.2.5

Do I care about this?

marciano · May 28, 2009, 12:04pm

And back to my first post.
Is it possible to force every user to send mail using ssl?
Does it worth to prevent massive spam sending from a strange script (php, cgi or other)?
Or there’s another way to prevent this devil?
Thanks again.