teh bigbro blog(tm)
Bigbro's foray into the scary world of blogging

Wed, 07 Nov 2007

Setting up TLS and SMTP Auth with Postfix and CACert

For those of us who roam around the internet, getting a connection here, there and everywhere, trying to find mailservers that are willing to relay outgoing mail for us can be a challenge. While DHCP will give us an IP address, nameservers and a default gateway, there's no traditional model I'm aware of for provising mail relays. Of course, there's a solution to this problem - use your own mail server.

Using your own mail server means that you must configure it to relay mail from lots of possible IP addresses - but only if it's you that's trying to relay. I won't go into the details as to why it's a bad idea to have an open mail relay facing the internet - I'm going to assume you know. Fortunately, it's actually not that difficult to authenticate with your mail server at SMTP time (when you're sending a mail) and ensure that only you, or your valid users, get to use the server.

Step #1: Configure TLS
For this you'll need a server certificate. I've chosen to use CACert as my root signer. You can do the same by signing up for a free account with them - something I'd actively encourage you to do.

  1. I'm assuming Debian Etch but these instructions should work with little or no change across a wide variety of systems.
  2. On Debian, download the Class 1 CACert root certificate in PEM format and place it in /etc/ssl/certs/CACert-class1-root.pem.
  3. Run /usr/lib/ssl/misc/CA.pl -newreq-nodes to generate a certificate request for your server. Answer the questions asked, making sure to insert the server's DNS name as the Common Name (eg, YOUR name) section. In my case, it's for one of my mail servers, so I put
    Common Name (eg, YOUR name) []:mail.signal2noise.co.uk.
  4. You should now have two files, one called newkey.pem (this is your private key. Keep it a secret.) and the other called newreq.pem. (This is the certificate request you need to send to CACert.) I always rename the newkey.pem file to servername-privatekey.pem.
  5. Log into CACert and select the menu item on the right for Server Certificates. Select New to create a new server certificate.
  6. Make sure the option to Sign by class 1 root certificate is selected and paste the contents of the newreq.pem file into the text area titled "Paste your CSR below..."
  7. Click the Submit button and after a short pause, it will display the generated public key for your server. This is essentially the certificate request 'signed' by the CACert root cert, which means that anyone who trusts the CACert root cert will now trust your server cert as well. Paste this output into a file called servername-publickey.pem
  8. Finally, for convenience, let's put the public and private keys together, so that in future we only have one file with everything the server needs.
    cat servername-privatekey.pem servername-publickey.pem > servername-keys.pem
  9. Put the servername-keys.pem file in the /etc/ssl/certs/ directory along with the CACert-class1-root.pem cert from above. We now have all the keys we need. If you have other users on your system, make sure that the servername-key.pem file is not world readable. chmod 0640 servername-key.pem should do the job nicely.
  10. Now we have to configure postfix to use the key files and activate TLS. Insert the following in your /etc/postfix/main.cf file:
    ## TLS
    smtp_use_tls = yes
    smtpd_use_tls = yes
    ## Only show AUTH options if TLS is being used.
    smtpd_tls_auth_only = yes
    ## Log the hostname of a remote SMTP server that offers STARTTLS
    smtp_tls_note_starttls_offer = yes
    ## Location of PEM files
    smtpd_tls_key_file = /etc/ssl/certs/servername-key.pem
    smtpd_tls_cert_file = /etc/ssl/certs/servername-key.pem
    smtpd_tls_CAfile = /etc/ssl/certs/CACert-class1-root.pem
    smtpd_tls_CApath = /etc/ssl/certs
    ## Increase this for more verbose logging
    smtpd_tls_loglevel = 1
    ## Add a TLS header
    smtpd_tls_received_header = yes

    tls_random_source = dev:/dev/urandom
  11. Reload postfix so that it parses the updated config file - and you should find that TLS is now enabled on your mailserver. You can verify this by telnetting to port 25 in the usual fashion, and upon greeting it with EHLO your.server.name it should now respond with 250-STARTTLS as one of the options.


Step #2: Configure SASL Authentication
Now you have TLS configured, you'll have end-to-end encryption of traffic over the wire. This means that any communications you have with the mailserver are securely hidden from view of anyone who might be looking at packets on the network. Not only does this mean they cannot see the text of mails sent (for this hop only! The next hop towards it's destination may well be unencrypted!) but they cannot see any usernames or passwords sent over the wire. This paves the way for providing a method of authenticating users who want to send mail using your server as a relay.
  1. Install the SASL2 modules for auth:
    apt-get install libsasl sasl2-bin libsasl2-modules
  2. The sasl2-bin package will install a file called /etc/default/saslauthd. You will need to edit this file to configure saslauthd to start automatically at boot time.
    START=yes
    MECHANISMS="pam"
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
     Other options can be left at their defaults. The OPTIONS stanza configures the runtime files appear in a location accessible by postfix, running in a chroot jail. Without this, postfix will be unable to communicate with saslauthd.
  3. Create the directory specified in the configuration above and chown it to be owned by postfix:sasl
    mkdir -p /var/spool/postfix/var/run/saslauthd
    chown -R postfix:sasl /var/spool/postfix/var/run/saslauthd
  4. I also move the sasldb2 file so that it's accessible by postfix, and configure sasl to be added to the postfix group:
    adduser postfix sasl
    mv /etc/sasldb2 /var/spool/postfix/etc/
    ln -s /var/spool/postfix/etc/sasldb2 /etc/sasldb2
    chown postfix:sasl /var/spool/postfix/etc/sasldb2
  5. Configure postfix to use SASL to check password authentication. You'll need to create a file called /etc/postfix/sasl/smtpd.conf with the following contents:
    pwcheck_method: saslauthd
  6. Add the configuration to the postfix main.cf file to allow postfix to use SASL Auth for sending mail:
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain =
    broken_sasl_auth_clients = yes
  7. Make sure that the SASL Auth daemon is started:
    /etc/init.d/saslauthd start
  8. Restart postfix to ensure that all settings are taken up. This isn't strictly necessary, but it's always a good idea when changes to config files are involved:
    /etc/init.d/postfix restart

You should now find that you're able to send e-mail by configuring Thunderbird or your e-mail client of choice to send mail via your mail server, port 25, using TLS and Auth. You should be asked for a login username and password when you attempt to send mail. These must match your UNIX username and login on the mail server for the configuration detailed to work.

Next tech article will be an explanation of how to bypass this problem entirely by using an IPv6 tunnel from SixXS.
posted at: 01:54 | path: /technical | permanent link to this entry


copyright © 2005-2008, Gareth Eason