ok

13/12/10

Postfix with TLS, amavisd-new and SASL

To have a secure mail server, I have configured my postfix to work with:
  • amavisd-new (with av-scanner and SpamAssassin)
  • TLS
  • SASL
amavisd-new is a high-performance interface between mailer (MTA) and content checkers such as virus scanners and SpamAssassin. Transport layer security (TLS) provides authenticated and encrypted sessions. SASL is a framework for secure authentication.
In the following, I want to give you a short overview how to enable these features in the postfix mail daemon. However, you will not find any information here, e.g. how to to configure amavisd-new.


amavisd-new

To connect amavisd-new with postifx, you need to add the following in the file "main.cf" (/etc/postfix/main.cf)
content_filter = amavisfeed:[127.0.0.1]:10024
In the file "master.cf", add:
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
However, you need to be aware that amavisd-new itself needs configuration, and has some requirements such as perl modules to be installed first.


TLS

Add the following in "main.cf":
smtpd_tls_cert_file = /etc/ssl/misc/postfixcert.pem
smtpd_tls_key_file = /etc/ssl/misc/postfixkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
The first two options are for the certificate and key to use with TLS. If you want to use a self signed certificate, refer to my article "OpenSSL CA". The last option defines that a connection may use, but is not forced TLS.
Note: You should ensure that the issuing CA certificate(s) are installed in your mail client in order to avoid SSL warning messages when sending e-mails.


SASL

Add the following in "main.cf":
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
Find the file etc/dovecot.conf
In the authentication section, add or enable:
# It's possible to export the authentication interface to other programs:
socket listen {
#master {
# Master socket provides access to userdb information. It's typically
# used to give Dovecot's local delivery agent access to userdb so it
# can find mailbox locations.
#path = /var/run/dovecot/auth-master
#mode = 0600
# Default user/group is the one who started dovecot-auth (root)
#user =
#group =
#}
client {
# The client socket is generally safe to export to everyone. Typical use
# is to export it to your SMTP server so it can do SMTP AUTH lookups
# using it.
path = /var/spool/postfix/private/auth
mode = 0666
user = postfix
group = postfix
}
}
}

0 comments: