1. Install all required packages
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix


1b. Backup default postfix config
cp /etc/postfix/main.cf /etc/postfix/main.cf_orig


2. Configure SMTP-AUTH and TLS using postconf
/usr/sbin/postconf -e 'smtpd_sasl_local_domain ='
/usr/sbin/postconf -e 'smtpd_sasl_auth_enable = yes'
/usr/sbin/postconf -e 'smtpd_sasl_security_options = noanonymous'
/usr/sbin/postconf -e 'broken_sasl_auth_clients = yes'
/usr/sbin/postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
/usr/sbin/postconf -e 'inet_interfaces = all'
/usr/sbin/postconf -e 'mynetworks = 127.0.0.0/8, 10.50.1.0/24'


3. Set postfix to allow LOGIN and PLAIN logins.
vim /usr/lib/sasl2/smtpd.conf (32-bit)
vim/usr/lib64/sasl2/smtpd.conf (64-bit)

pwcheck_method: saslauthd
mech_list: plain login


4. Create key for SSL certificate signing request
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key


5. Create the signing request with the key
openssl req -new -key smtpd.key -out smtpd.csr


6. Create the SSL certificate with the signing request and the key
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt


7. Create RSA key
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv smtpd.key.unencrypted smtpd.key


8. Create CA key and cert
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650


9. Configure postfix for TLS
/usr/sbin/postconf -e 'smtpd_tls_auth_only = no'
/usr/sbin/postconf -e 'smtp_use_tls = yes'
/usr/sbin/postconf -e 'smtpd_use_tls = yes'
/usr/sbin/postconf -e 'smtp_tls_note_starttls_offer = yes'
/usr/sbin/postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
/usr/sbin/postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
/usr/sbin/postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
/usr/sbin/postconf -e 'smtpd_tls_loglevel = 1'
/usr/sbin/postconf -e 'smtpd_tls_received_header = yes'
/usr/sbin/postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
/usr/sbin/postconf -e 'tls_random_source = dev:/dev/urandom'


10. Set servers hostname and mydomain in postfix config
/usr/sbin/postconf -e 'myhostname = vsv01.atbnet.local'
/usr/sbin/postconf -e 'mydomain = atbnet.local'


11. Check through the postfix config
more /etc/postfix/main.cf


12. Create DNS entry in your domain zone file (e.g. smtp.atbnet.local)
smtp IN A 10.50.1.50


13. Stop sendmail and Start postfix, saslauthd
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start


14. Check maillog for errors/failures and correct startup

tail /var/log/maillog
....
Mar 10 04:21:55 vsv01 sendmail[6074]: alias database /etc/aliases rebuilt by andy
Mar 10 04:21:55 vsv01 sendmail[6074]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
Mar 10 04:21:55 vsv01 postfix/postfix-script: starting the Postfix mail system
Mar 10 04:21:55 vsv01 postfix/master[6120]: daemon started -- version 2.3.3, configuration /etc/postfix
....


15. Configure services to start at required runlevels
/sbin/chkconfig --level 345 sendmail off
/sbin/chkconfig --level 345 postfix on
/sbin/chkconfig --level 345 saslauthd on


16. Test that postfix is running, accepting connections and SMTP-AUTH/TLS is working
telnet localhost 25

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 vsv01.atbnet.local ESMTP Postfix
ehlo localhost
250-vsv01.atbnet.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

If the below is in the statement returned by the server then TLS and PLAIN/LOGIN logins are configured correctly:
250-STARTTLS
250-AUTH PLAIN LOGIN


17. Check firewall rules allow port 25
/sbin/iptables -nvL

/etc/sysconfig/iptables
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.50.1.0/255.255.255.0 -p tcp --dport 25 -j ACCEPT

 

 

 

Share this blog post on social media:

Social Links

Disclaimer

All advice, installation/configuration how to guides, troubleshooting and other information on this website are provided as-is with no warranty or guarantee. Whilst the information provided is correct to the best of my knowledge, I am not reponsible for any issues that may arise using this information, and you do so at your own risk. As always before performing anything; check, double check, test and always ensure you have a backup.

Copyright ©2016 Andy Barnes - Please do not copy any content including images without prior consent!

Designed and Hosted by Andy Barnes