1. Install all required packages
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix


1b. Backup default postfix config
cp /etc/postfix/main.cf /etc/postfix/main.cf_orig


2. Configure SMTP-AUTH and TLS using postconf
/usr/sbin/postconf -e 'smtpd_sasl_local_domain ='
/usr/sbin/postconf -e 'smtpd_sasl_auth_enable = yes'
/usr/sbin/postconf -e 'smtpd_sasl_security_options = noanonymous'
/usr/sbin/postconf -e 'broken_sasl_auth_clients = yes'
/usr/sbin/postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
/usr/sbin/postconf -e 'inet_interfaces = all'
/usr/sbin/postconf -e 'mynetworks = 127.0.0.0/8, 10.50.1.0/24'


3. Set postfix to allow LOGIN and PLAIN logins.
vim /usr/lib/sasl2/smtpd.conf (32-bit)
vim/usr/lib64/sasl2/smtpd.conf (64-bit)

pwcheck_method: saslauthd
mech_list: plain login


4. Create key for SSL certificate signing request
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key


5. Create the signing request with the key
openssl req -new -key smtpd.key -out smtpd.csr


6. Create the SSL certificate with the signing request and the key
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt


7. Create RSA key
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv smtpd.key.unencrypted smtpd.key


8. Create CA key and cert
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650


9. Configure postfix for TLS
/usr/sbin/postconf -e 'smtpd_tls_auth_only = no'
/usr/sbin/postconf -e 'smtp_use_tls = yes'
/usr/sbin/postconf -e 'smtpd_use_tls = yes'
/usr/sbin/postconf -e 'smtp_tls_note_starttls_offer = yes'
/usr/sbin/postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
/usr/sbin/postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
/usr/sbin/postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
/usr/sbin/postconf -e 'smtpd_tls_loglevel = 1'
/usr/sbin/postconf -e 'smtpd_tls_received_header = yes'
/usr/sbin/postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
/usr/sbin/postconf -e 'tls_random_source = dev:/dev/urandom'


10. Set servers hostname and mydomain in postfix config
/usr/sbin/postconf -e 'myhostname = vsv01.atbnet.local'
/usr/sbin/postconf -e 'mydomain = atbnet.local'


11. Check through the postfix config
more /etc/postfix/main.cf


12. Create DNS entry in your domain zone file (e.g. smtp.atbnet.local)
smtp IN A 10.50.1.50


13. Stop sendmail and Start postfix, saslauthd
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start


14. Check maillog for errors/failures and correct startup

tail /var/log/maillog
....
Mar 10 04:21:55 vsv01 sendmail[6074]: alias database /etc/aliases rebuilt by andy
Mar 10 04:21:55 vsv01 sendmail[6074]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
Mar 10 04:21:55 vsv01 postfix/postfix-script: starting the Postfix mail system
Mar 10 04:21:55 vsv01 postfix/master[6120]: daemon started -- version 2.3.3, configuration /etc/postfix
....


15. Configure services to start at required runlevels
/sbin/chkconfig --level 345 sendmail off
/sbin/chkconfig --level 345 postfix on
/sbin/chkconfig --level 345 saslauthd on


16. Test that postfix is running, accepting connections and SMTP-AUTH/TLS is working
telnet localhost 25

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 vsv01.atbnet.local ESMTP Postfix
ehlo localhost
250-vsv01.atbnet.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

If the below is in the statement returned by the server then TLS and PLAIN/LOGIN logins are configured correctly:
250-STARTTLS
250-AUTH PLAIN LOGIN


17. Check firewall rules allow port 25
/sbin/iptables -nvL

/etc/sysconfig/iptables
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.50.1.0/255.255.255.0 -p tcp --dport 25 -j ACCEPT

 

 

 

Share this blog post on social media:

Social Links

Disclaimer

All advice, installation/configuration how to guides, troubleshooting and other information on this website are provided as-is with no warranty or guarantee. Whilst the information provided is correct to the best of my knowledge, I am not reponsible for any issues that may arise using this information, and you do so at your own risk. As always before performing anything; check, double check, test and always ensure you have a backup.

Copyright ©2008-2021 Andy Barnes - Please do not copy any content including images without prior consent!

Designed and Hosted by Andy Barnes

We use cookies

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.