DevHeads.net

Offering STARTTLS in postfix. need help!

hello everyone

I hope you all had a wonderful holiday season.

How does one configure an internet facing Postfix SMTP mail relay server,
to offer STARTTLS? I have been googling around and seeing various
different articles and blog entries, but I cannot figure out what is the
quickest and easiest way to do so. I am running postfix on RHEL 7. Any
help is greatly appreciated!

Thanks!!

Sean

Comments

Re: Offering STARTTLS in postfix. need help!

By Philip Paeps at 01/12/2018 - 15:48

On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
I'm surprised Google couldn't find
<a href="http://www.postfix.org/TLS_README.html" title="http://www.postfix.org/TLS_README.html">http://www.postfix.org/TLS_README.html</a>

DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

RE: Offering STARTTLS in postfix. need help!

By Fazzina, Angelo at 01/12/2018 - 16:00

My RHEL7 install but it install Postfix 2.10 and I use a LDAP backend for password storage. Not sure it helps you ?
-ALF

RAN vi /etc/postfix/master.cf
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
RAN vi /etc/postfix/main.cf
smtpd_relay_restrictions = check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

RAN yum install sssd
RAN yum install pamtester
RAN vi /etc/pam.d/smtp
auth sufficient pam_unix_auth.so
auth required pam_ldap.so use_first_pass
account sufficient pam_unix_acct.so
account required pam_ldap.so
comment out other lines(2)

RAN vi /etc/sssd/sssd.conf
[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = ou=people,dc=uconn,dc=edu
krb5_realm = UCONN.EDU
krb5_server = kerberos.uconn.edu
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.uconn.edu
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
#ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_store_password_if_offline = True
krb5_kpasswd = kadmin.uconn.edu
[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[nss]
homedir_substring = /home

[pam]

[autofs]

RAN chmod 600 /etc/sssd/sssd.conf
RAN yum install nss-pam-ldapd
RAN vi /etc/nslcd.conf
uri ldaps://ldap.uconn.edu
base dc=uconn,dc=edu
binddn <REMOVED>
bindpw <REMOVED>
tls_reqcert never
ssl no
tls_cacertdir /etc/openldap/cacerts
RAN yum install pam_ldap
RAN authconfig-tui
In "User information" pick "use LDAP"
In "Authentication" pick Use LDAP Authentication"
RAN yum install cyrus-sasl
RAN systemctl status saslauthd
RAN systemctl enable saslauthd
RAN systemctl start saslauthd
RAN yum install cyrus-sasl-plain
RAN pamtester smtp zzz00036 authenticate

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

<a href="mailto: ... at uconn dot edu"> ... at uconn dot edu</a>
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
I'm surprised Google couldn't find
<a href="http://www.postfix.org/TLS_README.html" title="http://www.postfix.org/TLS_README.html">http://www.postfix.org/TLS_README.html</a>

DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

Re: Offering STARTTLS in postfix. need help!

By Sean Son at 01/12/2018 - 15:55

Hello Philip

Thank you for the response. I did see that documentation but it was too
confusing for me to figure it out. But upon further research I found this:

By default, TLS is disabled in the Postfix SMTP server, so no difference to
plain Postfix is visible. Explicitly switch it on with "
smtpd_tls_security_level
<http://www.postfix.org/postconf.5.html#smtpd_tls_security_level> = may".

Example:

/etc/postfix/main.cf <http://www.postfix.org/postconf.5.html>:
smtpd_tls_security_level
<http://www.postfix.org/postconf.5.html#smtpd_tls_security_level> =
may

With this, the Postfix SMTP server announces STARTTLS support to remote
SMTP clients, but does not require that clients use TLS encryption.

I think this is the correct solution? Would this require an SSL cert?

Thanks

Re: Offering STARTTLS in postfix. need help!

By Viktor Dukhovni at 01/12/2018 - 16:06

Yes, of course. See:

<a href="http://www.postfix.org/TLS_README.html#quick-start" title="http://www.postfix.org/TLS_README.html#quick-start">http://www.postfix.org/TLS_README.html#quick-start</a>

and if your Postfix release is older than Postfix 3.1, in particular:

<a href="http://www.postfix.org/TLS_README.html#self-signed" title="http://www.postfix.org/TLS_README.html#self-signed">http://www.postfix.org/TLS_README.html#self-signed</a>