Mail Server Authentication Postfix / TSL

This is a great article… This is the original link to the article . Now here’s my copy of it:

The Perfect Setup – White Box Linux / Red Hat Enterprise Linux 3.0

Version 1.0
Author: Falko Timme
Last edited 03/22/2004

This is a detailed description about the steps to be taken to setup a Linux server based on White Box Linux that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.).

Since White Box Linux is very similar to Red Hat Enterprise Linux this tutorial should also work for Red Hat Enterprise Linux. From the White Box Linux website:

“This product is derived from the Free/Open Source Software made available by Red Hat, Inc but IS NOT produced, maintained or supported by Red Hat. Specifically, this product is forked from the source code for Red Hat’s _Red Hat Enterprise Linux 3_ product under the terms and conditions of it’s EULA.

There may be remaining packaging problems and other odd bugs. These are solely the responsibility of the White Box Linux effort and should not in any shape, manner or form reflect on the quality of Red Hat’s commercial product. In fact, if you need a fully tested and supported OS you probably should go buy their box set. ”

The following services will be installed:

* Web Server: Apache 2.0.x
* Mail Server: Postfix (easier to configure than sendmail; has a shorter history of security holes than sendmail)
* DNS Server: BIND9
* FTP Server: vsftpd (you could also use vsftpd)
* POP3/IMAP: ipop3d/imapd
* Webalizer for web site statistics

In the end you should have a system that works reliably and is ready for the server control panel 42go ISP-Manager (this is optional; you can install any other control panel or no control panel at all).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to partition LABEL=/home):

LABEL=/ / ext3 defaults 1 1
none /dev/pts devpts gid=5,mode=620 0 0
LABEL=/home /home ext3 defaults,usrquota,grpquota 1 2
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda5 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0

Then run:

touch /home/aquota.user /home/aquota.group
chmod 600 /home/aquota.*
mount -o remount /home
quotacheck -avugm
quotaon -avug

Start Services

All software we need is already installed on the system. Now we have to configure the system to start these services at boot time:

chkconfig httpd on
chkconfig vsftpd on
chkconfig mysqld on
chkconfig named on
chkconfig saslauthd on
chkconfig ipop3 on
chkconfig imap on
chkconfig cups off
chkconfig isdn off
chkconfig kudzu off
chkconfig pcmcia off
chkconfig sendmail off
chkconfig postfix on

Now we start the services we need:

/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/httpd start
/etc/init.d/mysqld start
/etc/init.d/vsftpd start
/etc/init.d/named start
/etc/init.d/saslauthd start

Make sure /etc/hosts looks like this:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 server1.example.com server1 localhost.localdomain localhost

MySQL

You should set a password for your MySQL database (the password for the MySQL user root; the default one is an empty password):

mysqladmin -u root password yourrootsqlpassword

If you already have a non-empty password, and you want to change it, use this command:

mysqladmin -u root -pyourrootsqlpassword password yournewrootsqlpassword

(Please note: There is no blank between -p and yourrootsqlpassword!)

Postfix

We have to configure Postfix in order to enable SMTP-AUTH and TLS.

First, we generate the certificate files needed for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

<- Enter a password for smtpd.key.

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

<- Again, enter your password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.

The following information is optional:

<- Enter a challenge password.
<- Enter an optional company name.

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

<- Again, enter your password for smtpd.key.

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

<- Again, enter your password for smtpd.key.

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

<- Again, enter your password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.

Run the following commands in order to enable SMTP-AUTH and TLS in /etc/postfix/main.cf:

postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'mynetworks = 127.0.0.0/8'
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'alias_maps = hash:/etc/aliases'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

mv -f /etc/pam.d/smtp.postfix /etc/pam.d/smtp
/etc/init.d/postfix restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

Synchronize the System Clock

If you want to have the system clock synchronized with an NTP server you can add the following lines to /var/spool/cron/root (if the file does not exist, create it by running

touch /var/spool/cron/root):

# update time with ntp server
0 3,9,15,21 * * * /usr/bin/rdate 128.2.136.71 | logger -t NTP

Then run

chmod 600 /var/spool/cron/root
/etc/init.d/crond restart

Install the 42go ISP-Manager

If you want to install the 42go ISP-Manager on the system you have to do the following steps because the 42go ISP-Manager does not support White Box Linux / Red Hat Enterprise Linux 3.0 out of the box. But because all paths/settings are similar to those on Red Hat 9 (which is supported by the 42go ISP-Manager) you can make the installer of the 42go ISP-Manager believe that the system is running Red Hat 9:

rm -f /etc/redhat-release

Now create a new file /etc/redhat-release with the following contents:

Red Hat Linux release 9 (Shrike)

Now you can install the 42go ISP-Manager on the system as described here: http://www.projektfarm.com/downloads/manual/installation_en.pdf

Links

White Box Linux: http://www.whiteboxlinux.org/

Red Hat: http://www.redhat.com/

42go ISP-Manager: http://www.projektfarm.com/en/