Saturday, February 21, 2015

How to enable user authentication for a Postfix SMTP server with SASL

I had originally written this tutorial for xmodulo.com

Every mail server administrator dreads his or her server becoming compromised by spammers. A lot of effort, time and even money is spent on securing mail servers and making sure that the servers do not become open relay.
To combat against spambots in an SMTP server, Postfix in general uses the mynetworks parameter to specify the trusted sender network i.e., LAN. In a typical scenario, the users stationed in the internal LAN are legitimate users, and Postfix will happily accept SMTP requests from them, and forward the emails towards destination. Although this used to be the standard practice in the past, today's users want mobility. Everyone wants to be able to send/receive emails in their phones/tablets/laptops at work, home, on the go, or even from their favorite coffee shop around the corner. For people who are in the fields for critical services, a simple email alert could save a lot of time, effort and money.
To cope up with the mobility need, Postfix started to support another method of validating users. Simple Authentication and Security Layer (SASL) is a framework that can be used by many connection-oriented Internet protocols for securing data, servers and users. With SASL enabled, Postfix will not accept any incoming SMTP connections without proper authentication. As smart spammer can imitate a legitimate email account, no SMTP from even internal users are accepted without authentication.
This tutorial will focus on setting up a Postfix SMTP server to use Dovecot SASL for user authentication. As Dovecot provides mechanisms for user authentication, Postfix will simply ask Dovecot to do the work for it. That way, there is no need to re-invent the wheel.

Prerequisites

  1. A working mail server running on postfix and dovecot2
  2. SSL/TLS support for the mail server3

Preparing Dovecot

Backing up configuration files prior to modification is always a good idea.
Since Dovecot will be the one doing most of the work, we will start configuration with Dovecot.
First of all, a listener is added to Dovecot. Postfix will use this listener to communicate with Dovecot.
root@mail:~# vim /etc/dovecot/conf.d/10-master.conf
## The listener is added under the service auth section ##
service auth {
 unix_listener /var/spool/postfix/private/auth {
  mode = 0660
         user = postfix
         group = postfix
   } ##end listener
} ## end service auth
The above definition places the socket to be used by Postfix at /var/spool/postfix/private/auth with permission 0660 for Postfix only.
root@mail:~# vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
The above parameter provides the plain login authentication mechanisms for Postfix.
Finally, for the changes to take effect, we restart the Dovecot service as follows.
root@mail:~# service dovecot restart

Preparing Postfix

Necessary SST/TLS and SASL parameters are added in the configuration file main.cf.
root@mail:~# vim /etc/postfix/main.cf
#### SASL ####
## specify SASL type ##
smtpd_sasl_type = dovecot

## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##
smtpd_sasl_path = private/auth

## postfix appends the domain name for SASL logins that do not have the domain part ##
smtpd_sasl_local_domain = example.tst

## SASL default policy ##
smtpd_sasl_security_options = noanonymous

## for legacy application compatibility ##
broken_sasl_auth_clients = yes

## enable SMTP auth ##
smtpd_sasl_auth_enable = yes

## smtp checks ##
## these checks are based on first match, so sequence is important ##
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
The official guideline can be consulted for more details on available parameters and their function.
SSL/TLS specific parameters are added to the server as well.
root@mail:~# vim /etc/postfix/main.cf
#### SSL/TLS parameters ####

## 'encrypt' will enforce SSL. Not recommended for live servers ##
smtpd_tls_security_level = may 
#smtpd_tls_security_level = encrypt 

smtpd_tls_received_header = yes 
smtpd_tls_auth_only = no 

## loglevel 3 or 4 can be used during troubleshooting ##
smtpd_tls_loglevel = 1 

## path to certificate and key file ##
smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem 
smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem 
smtpd_use_tls=yes 

## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes 

smtpd_tls_session_cache_timeout = 3600s 
Now Postfix is reloaded with updated settings.
root@mail:~# service postfix restart
At this point, Postfix will not allow SMTP connections without authentication.

Mail User Agent Configuration

Your mail client is configured with mandatory authentication for SMTP as shown below.

Troubleshooting

If SASL is not working correctly, the following troubleshooting may help.

Enabling Verbose Postfix Logs

To increase the level of output in Postfix log, the "-v" parameter can be added in the following file.
root@mail:/etc/postfix# vim /etc/postfix/master.cf
smtp      inet  n       -       -       -       -       smtpd -v
Now there should be more verbose information the log file at /var/log/mail.log, which can help with the troubleshooting process.

Telnet to port 25

telnet connection to port 25 should be successful.
$ telnet mail.example.tst 25
ehlo  mail.example.tst
250- mail.example.tst
250-PIPELINING 
250-SIZE 10240000 
250-VRFY 
250-ETRN 
250-STARTTLS 
250-AUTH PLAIN LOGIN 
250-AUTH=PLAIN LOGIN 
250-ENHANCEDSTATUSCODES 
250-8BITMIME 
250 DSN 
Amongst other features that the SMTP server advertises, the STARTTLS and AUTH features should be available.
Sending mails using telnet should fail, and no authentication information should be sent to the server.
$ telnet mail.example.tst 25
ehlo  mail.example.tst
mail from:sarmed@example.tst
250 2.1.0 Ok 
rcpt to:sarmed@example.tst
554 5.7.1 : Relay access denied 

Tuning parameter – mynetworks

Earlier in the tutorial, the Postfix server was configured to allow SMTP connections originated in the trusted network i.e., mynetworks, as shown in /etc/postfix/main.cf.
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
To make sure that mails originating from mynetworks do not pass through unauthenticated, /etc/postfix/main.cf can be modified as follows.
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
Based on the requirements, permit_mynetworks can be allowed or denied later on.
To sum up, SASL can provide additional security to a mail server by enforcing mandatory authentication to users for SMTP requests. As users may use a mail server from anywhere, SASL can meet with the security requirements that do not conflict with the mobility of users.
Hope this helps.


How to secure a mail server using encryption

I had originally written this tutorial for xmodulo.com

SSL (Secure Sockets Layer) and its descendant TLS (Transport Layer Security) are the most widely used protocols for encrypting data that is exchanged between a server and a client. These protocols often use X.509 certificates and asymmetric cryptography.
STARTTTLS is another method of securing plain-text communication. This protocol also encrypts data with SSL or TLS, but with the same port as the plain-text protocols, instead of using separate ports for SSL/TLS-encrypted communications. For example, IMAP over STARTTLS uses the same port as IMAP (143), while IMAPS (IMAP over SSL) uses a separate port 993.
The previous tutorial describes how to set up a mail server running on Postfix and Dovecot, but the security aspect was not covered. In this tutorial, we demonstrate how to add security to a mail server through TLS/SSL-based encryption.
Certificates needed for TLS/SSL can be self-signed, signed by a free certification authority (e.g., CAcert) or signed by a commercial authority (e.g., VeriSign), and can be generated with utilities like OpenSSL. We are going to use a self-signed certificate in this tutorial.

Enable TLS Encryption for Postfix

A self-signed certificate can be created with the following command.
# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/postfixcert.pem -keyout /etc/ssl/private/postfixkey.pem
The above command requests a new certificate which is of type X.509, and remains valid for 365 days. The optional -nodes parameter specifies that the private key should not be encrypted. An output certificate file is saved as postfixcert.pem, and an output key file as postfixkey.pem .
All necessary values for the certificate can be given:
Country Name (2 letter code) [AU]:BD 
State or Province Name (full name) [Some-State]:Dhaka 
Locality Name (eg, city) []:Dhaka 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:Example.tst 
Common Name (e.g. server FQDN or YOUR name) []:mail.example.tst 
Email Address []:sarmed@example.tst 
Now that the certificate is ready, necessary parameters are adjusted in postfix configuration file.
root@mail:~# vim /etc/postfix/main.cf
### STARTTLS is enabled ###
smtpd_tls_security_level = may 

smtpd_tls_received_header = yes 
smtpd_tls_auth_only = yes 

### loglevel 3 should be used while troubleshooting ###
smtpd_tls_loglevel = 1

### path to certificate and key file
smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem 
smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem 
smtpd_use_tls=yes 
Restart postfix to enable TLS.
root@mail:~# service postfix restart
At this point, postfix is ready to encrypt data to and from the server. More details about Postfix TLS support can be found in their official README.

Enable SSL Encryption for Dovecot

Configuring dovecot for encryption is similar to postfix.
First of all, a self-signed certificate is created with openssl:
# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecotcert.pem -keyout /etc/ssl/private/dovecotkey.pem
The above command requests a new X.509 certificate which is valid for 365 days. -nodes is an optional parameter which specifies that the stored private key should not be encrypted. An output certificate file will bedovecotcert.pem, and an output key file will be dovecotkey.pem.
All necessary parameters need to be specified in the certificate:
Country Name (2 letter code) [AU]:BD
State or Province Name (full name) [Some-State]:Dhaka
Locality Name (eg, city) []:Dhaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:Example.tst
Common Name (e.g. server FQDN or YOUR name) []:mail.example.tst
Email Address []:sarmed@example.tst
Next, the path to the certificate is added in dovecot configuration.
root@mail:~# vim /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/certs/dovecotcert.pem
ssl_key = </etc/ssl/private/dovecotkey.pem
Finally, dovecot is restarted to enable SSL with the new certificate.
root@mail:~# service dovecot restart

Thunderbird Mail Client Configuration

The following is a snapshot on how to configure the account in Mozilla Thunderbird.

Troubleshooting

First of all, make sure that all necessary ports are allowed in the firewall.
Second, try telnet to a mail server. You should be able to get through. Some examples are given below for reference.

Connect to IMAPS

$ telnet mail.example.tst 993
Trying mail.example.tst... 
Connected to mail.example.tst. 
Escape character is '^]'. 
exit 
exit 
Connection closed by foreign host. 

Connect to POP3S

$ telnet mail.example.tst 995
Trying mail.example.tst... 
Connected to mail.example.tst. 
Escape character is '^]'. 
exit 
exit 
Connection closed by foreign host. 

Connect to SMTP

$ telnet mail.example.tst 25
Trying mail.example.tst... 
Connected to mail.example.tst. 
Escape character is '^]'. 
220 mail.example.tst ESMTP Postfix (Ubuntu) 

### Command ###
ehlo mail.example.tst 
250-mail.example.tst 
250-PIPELINING 
250-SIZE 10240000 
250-VRFY 
250-ETRN 
250-STARTTLS 
250-ENHANCEDSTATUSCODES 
250-8BITMIME 
250 DSN


How to set up a mail server in Ubuntu or Debian

I had originally written this tutorial for xmodulo.com

This tutorial will discuss how to set up a working mail server in Ubuntu or Debian. As we know, the two major protocols used in a mail server are SMTP and POP/IMAP. In this tutorial, postfix will be used for SMTP, whiledovecot will be used for POP/IMAP. Both are open source, stable and highly customizable.
Please note that securing a mail server is beyond the scope of this tutorial, and will be covered in future tutorials.

Prerequisites

Each domain should have a DNS server. It is recommended NOT to use a live domain for testing purposes. In this tutorial, a test domain example.tst will be used in a lab environment. A DNS server for this hypothetical domain should have the following records at the least.
  • Forward zone for example.tst:
       IN MX 10 mail.example.tst.
    mail.example.tst. IN A  192.168.10.1
    
  • Reverse zone for example.tst:
    192.168.10.1  IN PTR mail.example.tst.
    
    While configuring a live mail server, these records can be changed based on system requirements.

    Setting Hostname

    First, the hostname of the mail server must be specified in /etc/hostname and /etc/hosts. The former should contain the hostname only.
    root@mail:~# vim /etc/hostname
    mail
    
    root@mail:~# vim /etc/hosts
    ## IP   Fully Qualified Domain Name  Hostname ##
    192.168.10.1  mail.example.tst   mail
    

    Adding Users

    Every Linux user, by default, has a mailbox automatically created. These users and mailboxes will be used as email accounts and their respective mailboxes. Creating a user is very easy.
    root@mail:~# adduser sarmed

    Install and Configure SMTP

    Service Profile: postfix
    Configuration file directory/etc/postfix/
    Script/etc/init.d/postfix
    Log file/var/log/mail.log
    Script/etc/init.d/postfix
    Port numberTCP/25

    SMTP: Installing postfix

    postfix is one of the most widely used SMTP servers because it is stable, lightweight, scalable, and highly customizable. Setting up postfix can be done using apt-get.
    root@mail:~# apt-get install postfix
    During installation, the type of email server and the domain name are specified.
    Since this mail server will send emails directly towards destination, "Internet Site" is used.
    The domain name of the mail server is also set. This will cause all mails originating from this mail server to have@example.tst as the sender's domain.
    The configuration files of postfix are stored in /etc/postfix. The following configuration files are important. Some of them may not be present and need to be created manually.
    • transport: Primarily used to define how a mail should be routed towards specific destination domains. Bypassing DNS queries can be a good example. In that case, one may need to send emails destined to domain XYZ.com directly to IP address X.Y.Y.X regardless of any DNS query results.
    • access: Can be used for security purposes like blocking senders/recipients and their domains.
    • aliases: Is used to define user aliases. For example, emails sent to userA should be received by userB and userC as well.
    • main.cf: Is the configuration file for postfix.

    SMTP: Preparing Configuration Files

    Time to prepare the configuration files. The transport and aliases files are not provided with the installation, and created manually.
    root@mail:~# cd /etc/postfix
    root@mail:/etc/postfix# touch transport aliases
  • main.cf
  • main.cf is backed up and then modified. The following lines are added/modified in the configuration file. For more detailed info about the parameters, refer to the official README and configuration document.
    root@mail:/etc/postfix# vim main.cf
    ## the name of the server ##
    myhostname = mail.example.tst
    
    ## alias definitions ##
    alias_maps = hash:/etc/postfix/aliases
    alias_database = hash:/etc/postfix/aliases
    
    ## transport definition ##
    transport_maps = hash:/etc/postfix/transport
    
    ## myorigin defines the domain name for emails originated from this server. In this case, all outgoing mail should have '@example.tst' as sender domain ##
    myorigin = example.tst
    
    ## mydestination parameter specifies what domains this machine will deliver locally, instead of forwarding to another machine. ##
    mydestination = mail.example.tst, localhost.example.tst, localhost, hash:/etc/postfix/transport
    
    ## the smarthost address. Not used in this tutorial and will be covered in the future##
    relayhost =
    
    ## the trusted sender networks. postfix will not forward mails originated from other subnets ##
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.10.0/24
    
    ## mailbox size in bytes. 0 denotes no limit ##
    mailbox_size_limit = 0
    
    ## postfix will listen on all available interfaces i.e. eth0, eth1, eth2 and so on ##
    inet_interfaces = all
    
  • transport
  • Mails destined to domain example.tst are defined to be delivered locally without any DNS queries.
    root@mail:/etc/postfix# vim transport
    example.tst local:
    .example.tst local:
    
    root@mail:/etc/postfix# postmap transport
  • aliases
  • Assuming all mails sent to userA should be received by userB as well, the aliases file is modified as stated below.
    root@mail:/etc/postfix# vim aliases
    userA: userA, userB
    
    root@mail:/etc/postfix# postalias aliases
    Note: The syntax 'userA: userB' specifies that the mail should be forwarded to userB only. userA will not receive a copy of the email.

    SMTP: Initiating the Service

    postfix can be started using the command.
    root@mail:~# service postfix restart
    The log file at /var/log/mail.log should provide useful information in case something fails. Whether or not the mail server is listening on TCP port 25 can also be verified using netstat.
    root@mail:~# netstat -nat
    tcp     0        0        0.0.0.0:25       0.0.0.0:*    LISTEN
    
    As it can be seen from the output, the server is listening on TCP port 25 for incoming connection requests.

    Install and Configure POP/IMAP

    Service Profile: dovecot
    Configuration file directory/etc/dovecot
    Script/etc/init.d/dovecot
    Log file/var/log/mail.log
    Script/etc/init.d/dovecot
    Port numberTCP: 110 (POP3), 143 (IMAP), 993 (IMAPS), 995 (POP3S)

    POP/IMAP: Installing dovecot

    dovecot is without a doubt leading IMAP and POP server software used in the open source community. It is very easy to set up and configure dovecot. Once again, apt-get will be used to install dovecot.
    root@mail:~# apt-get install dovecot-common dovecot-pop3d dovecot-imapd
    Out of the box, dovecot can support POP3 and IMAP (plain text), as well as encrypted POP3S and IMAPS (secured). By default, dovecot will create and use a self-signed certificate for SSL encryption. Certificates can be manually created or imported later based on requirements. In this tutorial, a self-signed certificate generated bydovecot will be used.

    POP/IMAP: Preparing Configuration Files

    The following parameters are modified as needed.
    root@mail:~# vim /etc/dovecot/conf.d/10-mail.conf
    ## the location of the mailbox is specified in 'mbox' format ##
    mail_location = mbox:~/mail:INBOX=/var/mail/%u
    
    ## dovecot is granted necessary permission to read/write user mailboxes ##
    mail_privileged_group = mail
    
    That should be enough to start POP/IMAP service in the mail server.

    POP/IMAP: Initiating the Service

    Now that dovecot is installed and configured, it can be launched using the following command.
    root@mail:~# service dovecot restart
    Again, The log file (/var/log/mail.log) can provide important clues should something go wrong. Whetherdovecot is running can also be verified using netstat.
    root@mail:/etc/dovecot/conf.d# netstat -nat
    tcp      0      0      0 0.0.0.0:110      0.0.0.0:*      LISTEN
    tcp      0      0      0 0.0.0.0:143      0.0.0.0:*      LISTEN
    tcp      0      0      0 0.0.0.0:993      0.0.0.0:*      LISTEN
    tcp      0      0      0 0.0.0.0:995      0.0.0.0:*      LISTEN
    

    Using the Mail Server with Mail User Agent (MUA)

    The mail server is now ready to be used. Email accounts can be configured using your favorite email client software in desktop, laptop, tablet or phone. Webmail can also be configured in the server, but setting up webmail will be covered in future tutorials. The following is a screenshot with necessary parameters in Mozilla Thunderbird.

    Troubleshooting Mail Server

    • The log file /var/log/mail.log is your best friend. Any clue about why email is not working can be found here.
    • Make sure that the firewall is properly configured.
    • Make sure that the DNS server has proper entries.
    To sum up, the demonstration in this tutorial is meant to run in a lab environment. A test DNS server with all necessary records can be deployed, and mails can be exchanged between users in the same server, i.e., same domain. To make things more interesting, multiple mail servers with different domains can be deployed to check how email communication works across domains, given that necessary DNS records are present.
    Valid DNS records are needed for live mail servers. The settings of postfix and dovecot can be tuned based on needs.
    Warning: For those who want to deploy live mail servers, or any mail server that has access to the Internet, make sure that your SMTP is secured. Attacks on SMTP can commonly originate from the Internet, as well as from malicious software within the LAN.
    Hope this helps.