Verify cert is correct openssl s_client -connect domoticz.iix.se:443 -servername domoticz.iix.se </dev/null Verify date of expiry for installed cert # HTTPS openssl s_client -connect example.com:443 -servername example.com 2>/dev/null </dev/null | openssl x509 -noout -dates # SMTP % openssl s_client -starttls smtp -connect smtp.iix.se:25 </dev/null 2>/dev/null | openssl x509 -noout -dates
Note Instructions are for debian (and probably works for ubuntu and friends too). Easiest way to getting it to work in fedora is through dovecot’s sasl2. See dovecot configuration and postfix configuration Install sasl dependencies sudo apt-get install libsasl2-modules sasl2-bin Create /etc/postfix/sasl/smtpd.conf: pwcheck_method: saslauthd mech_list: PLAIN LOGIN Create /etc/default/saslauthd-postfix cp /etc/default/saslauthd /etc/default/saslauthd-postfix Edit /etc/default/saslauthd-postfix START=yes DESC="SASL Auth. Daemon for Postfix" NAME="saslauthd-postf" # max. 15 char? OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" Create subdirs: dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd Add group (maybe not required?) adduser postfix sasl Reset and enable saslauthd sudo systemctl restart saslauthd sudo systemctl enable saslauthd Config postfix sudo postconf -e 'smtpd_sasl_local_domain = $myhostname' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' Reset postfix sudo systemctl restart postfix
Implementation: Login on server as root Install spamassassin through aptitude In /etc/default/spamassassin: Set ENABLED=1 Add/uncomment in /etc/spamassassin/local.cf: rewrite_header Subject *****SPAM***** report_safe 0 In /etc/postfix/master.cf: smtp inet n - - - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Restart services service spamassassin start service postfix reload Verification: Email sent to server with body XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X should have subject rewritten to ****SPAM**** $header ...
Description: Add greylisting to postfix through postgrey Implementation: Login to server as root Install postgrey through aptitude Append to /etc/postgrey/whitelist-clients: d4.sysinst.ida.liu.se Restart service: service postgrey reload Add to/edit in /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_policy_service inet:127.0.0.1:10023 Restart service: service postfix reload Verification: Email from any local host should not be greylisted Email from unknown address should be greylisted
Description: Criterias: Accept mail from any SMTP server in the world. Be able to send mail to any SMTP server in the world. Not accept mail for any other destinations than your domain. Meet the requirements of RFC 2821, section 4.5.1 concerning the postmaster address. Should rewrite local usernames to real names through LDAP lookups Forwarded email from satellite systems should have their FQDN rewritten to this server’s Implementation (Main server): Login on server as root: Install postfix through aptitude Select type Internet Site Set System Mail Name to d4.sysinst.ida.liu.se In /etc/postfix/main.cf, add the following lines: mynetworks = 127.0.0.0/8 130.236.179.88/29 [::ffff:127.0.0.0]/104 [::1]/128 masquerade_domains = $mydomain local_header_rewrite_clients = permit_mynetworks sender_canonical_maps = ldap:/etc/postfix/canonical_sender recipient_canonical_maps = ldap:/etc/postfix/canonical_recipent Create /etc/postfix/canonical_sender: search_base = ou=People,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se server_host = server.d4.sysinst.ida.liu.se bind = no version = 3 domain = d4.sysinst.ida.liu.se query_filter = uid=%u result_attribute = mail Create /etc/postfix/canonical_recipent: search_base = ou=People,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se server_host = server.d4.sysinst.ida.liu.se bind = no version = 3 domain = d4.sysinst.ida.liu.se query_filter = mail=%s result_attribute = uid Set MX record. Add line to /etc/bind/db.d4.sysinst.ida.liu.se: @ IN MX 10 server.d4.sysinst.ida.liu.se. Restart the services: service postfix restart service bind9 restart Implementation (Satellite Systems/Clients): Install postfix through aptitude Select type Satellite System Set System Mail Name to d4.sysinst.ida.liu.se Set SMTP Relay Host to server.d4.sysinst.ida.liu.se Verification: Test that the server can receive email from generic server outside of LAN Test that the server can send email to generic server outside of LAN Test that the server does not accept email for other domains than d4.sysinst.ida.liu.se Test that all clients can send email to *@d4.sysinst.ida.liu.se and they should end up on server Test that all clients do not have smtp open to LAN/WAN
N.B. This expects a working sendmail installation with STARTTLS Install cyrus-sasl # install cyrus-sasl2 cd /usr/ports/security/cyrus-sasl2 make install clean echo "pwcheck_method: saslauthd" > /usr/local/lib/sasl2/Sendmail.conf # install cyrus-sasl2-saslauthd cd /usr/ports/security/cyrus-sasl2-saslauthd make install clean echo 'saslauthd_enable="YES"' >> /etc/rc.conf service saslauthd start Set sendmail make flags Set the following flags in /etc/make.conf (create if it doesn’t exist) SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 Recompile sendmail Did you have the source in /usr/src? Otherwise you will need to run the following command. If you don’t use RELEASE-10, you should change that. ...
Links qmail.jms1.net BSD Handbook Sendmail.org This expects you to have netcat, perl and openssl installed Hello without TLS nc mail.server.com 25 220 mail.server.com ESMTP Sendmail 8.14.7/8.14.7; Thu, 11 Sep 2014 12:01:22 +0200 (CEST) > ehlo friendly.server.com 250-mail.server.com Hello friendly [1.2.3.4], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP > quit< 221 2.0.0 mail.server.com closing connection Hello with TLS openssl s_client -starttls smtp -crlf -connect mail.server.com:25 # ...Loads of text here... > ehlo friendly.server.com # ... Same as login without TLS (above) ... Test login $ perl -MMIME::Base64 -e 'print encode_base64("\000coolname\@iix.se\000my-password")' AGNvb2xuYW1lQGlpeC5zZQBteS1wYXNzd29yZA== # .. Log in to server with one of the above ... > AUTH PLAIN AGNvb2xuYW1lQGlpeC5zZQBteS1wYXNzd29yZA== 235 2.0.0 OK Authenticated > quit 221 2.0.0 mail.server.com closing connection Sending mail > mail from: <[email protected]> 250 ok > rcpt to: <[email protected]> 250 ok > data 354 go ahead > From: John <[email protected]> > To: Nobody <[email protected]> > Subject: fnord > > hail eris! > . 250 ok 1113954693 qp 29052 > quit