|
1. Install all required packages
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix
1b. Backup default postfix config
cp /etc/postfix/main.cf /etc/postfix/main.cf_orig
2. Configure SMTP-AUTH and TLS using postconf
/usr/sbin/postconf -e 'smtpd_sasl_local_domain ='
/usr/sbin/postconf -e 'smtpd_sasl_auth_enable = yes'
/usr/sbin/postconf -e 'smtpd_sasl_security_options = noanonymous'
/usr/sbin/postconf -e 'broken_sasl_auth_clients = yes'
/usr/sbin/postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
/usr/sbin/postconf -e 'inet_interfaces = all'
/usr/sbin/postconf -e 'mynetworks = 127.0.0.0/8, 10.50.1.0/24'
3. Set postfix to allow LOGIN and PLAIN logins.
vim /usr/lib/sasl2/smtpd.conf (32-bit)
vim/usr/lib64/sasl2/smtpd.conf (64-bit)
pwcheck_method: saslauthd
mech_list: plain login
4. Create key for SSL certificate signing request
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
5. Create the signing request with the key
openssl req -new -key smtpd.key -out smtpd.csr
6. Create the SSL certificate with the signing request and the key
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
7. Create RSA key
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv smtpd.key.unencrypted smtpd.key
8. Create CA key and cert
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
9. Configure postfix for TLS
/usr/sbin/postconf -e 'smtpd_tls_auth_only = no'
/usr/sbin/postconf -e 'smtp_use_tls = yes'
/usr/sbin/postconf -e 'smtpd_use_tls = yes'
/usr/sbin/postconf -e 'smtp_tls_note_starttls_offer = yes'
/usr/sbin/postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
/usr/sbin/postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
/usr/sbin/postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
/usr/sbin/postconf -e 'smtpd_tls_loglevel = 1'
/usr/sbin/postconf -e 'smtpd_tls_received_header = yes'
/usr/sbin/postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
/usr/sbin/postconf -e 'tls_random_source = dev:/dev/urandom'
10. Set servers hostname and mydomain in postfix config
/usr/sbin/postconf -e 'myhostname = vsv01.atbnet.local'
/usr/sbin/postconf -e 'mydomain = atbnet.local'
11. Check through the postfix config
more /etc/postfix/main.cf
12. Create DNS entry in your domain zone file (e.g. smtp.atbnet.local)
smtp IN A 10.50.1.50
13. Stop sendmail and Start postfix, saslauthd
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
14. Check maillog for errors/failures and correct startup
tail /var/log/maillog
....
Mar 10 04:21:55 vsv01 sendmail[6074]: alias database /etc/aliases rebuilt by andy
Mar 10 04:21:55 vsv01 sendmail[6074]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
Mar 10 04:21:55 vsv01 postfix/postfix-script: starting the Postfix mail system
Mar 10 04:21:55 vsv01 postfix/master[6120]: daemon started -- version 2.3.3, configuration /etc/postfix
....
15. Configure services to start at required runlevels
/sbin/chkconfig --level 345 sendmail off
/sbin/chkconfig --level 345 postfix on
/sbin/chkconfig --level 345 saslauthd on
16. Test that postfix is running, accepting connections and SMTP-AUTH/TLS is working
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 vsv01.atbnet.local ESMTP Postfix
ehlo localhost
250-vsv01.atbnet.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
If the below is in the statement returned by the server then TLS and PLAIN/LOGIN logins are configured correctly:
250-STARTTLS
250-AUTH PLAIN LOGIN
17. Check firewall rules allow port 25
/sbin/iptables -nvL
/etc/sysconfig/iptables
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.50.1.0/255.255.255.0 -p tcp --dport 25 -j ACCEPT
|
Linux 
