DevHeads.net

Offering STARTTLS in postfix. need help!

hello everyone

I hope you all had a wonderful holiday season.

How does one configure an internet facing Postfix SMTP mail relay server,
to offer STARTTLS? I have been googling around and seeing various
different articles and blog entries, but I cannot figure out what is the
quickest and easiest way to do so. I am running postfix on RHEL 7. Any
help is greatly appreciated!

Thanks!!

Sean

Comments

Re: Offering STARTTLS in postfix. need help!

By Philip Paeps at 01/12/2018 - 16:48

On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
I'm surprised Google couldn't find
<a href="http://www.postfix.org/TLS_README.html" title="http://www.postfix.org/TLS_README.html">http://www.postfix.org/TLS_README.html</a>

DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

RE: Offering STARTTLS in postfix. need help!

By Fazzina, Angelo at 01/12/2018 - 17:00

My RHEL7 install but it install Postfix 2.10 and I use a LDAP backend for password storage. Not sure it helps you ?
-ALF

RAN vi /etc/postfix/master.cf
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
RAN vi /etc/postfix/main.cf
smtpd_relay_restrictions = check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

RAN yum install sssd
RAN yum install pamtester
RAN vi /etc/pam.d/smtp
auth sufficient pam_unix_auth.so
auth required pam_ldap.so use_first_pass
account sufficient pam_unix_acct.so
account required pam_ldap.so
comment out other lines(2)

RAN vi /etc/sssd/sssd.conf
[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = ou=people,dc=uconn,dc=edu
krb5_realm = UCONN.EDU
krb5_server = kerberos.uconn.edu
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.uconn.edu
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
#ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_store_password_if_offline = True
krb5_kpasswd = kadmin.uconn.edu
[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[nss]
homedir_substring = /home

[pam]

[autofs]

RAN chmod 600 /etc/sssd/sssd.conf
RAN yum install nss-pam-ldapd
RAN vi /etc/nslcd.conf
uri ldaps://ldap.uconn.edu
base dc=uconn,dc=edu
binddn <REMOVED>
bindpw <REMOVED>
tls_reqcert never
ssl no
tls_cacertdir /etc/openldap/cacerts
RAN yum install pam_ldap
RAN authconfig-tui
In "User information" pick "use LDAP"
In "Authentication" pick Use LDAP Authentication"
RAN yum install cyrus-sasl
RAN systemctl status saslauthd
RAN systemctl enable saslauthd
RAN systemctl start saslauthd
RAN yum install cyrus-sasl-plain
RAN pamtester smtp zzz00036 authenticate

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

<a href="mailto: ... at uconn dot edu"> ... at uconn dot edu</a>
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
I'm surprised Google couldn't find
<a href="http://www.postfix.org/TLS_README.html" title="http://www.postfix.org/TLS_README.html">http://www.postfix.org/TLS_README.html</a>

DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

Re: Offering STARTTLS in postfix. need help!

By Sean Son at 01/12/2018 - 16:55

Hello Philip

Thank you for the response. I did see that documentation but it was too
confusing for me to figure it out. But upon further research I found this:

By default, TLS is disabled in the Postfix SMTP server, so no difference to
plain Postfix is visible. Explicitly switch it on with "
smtpd_tls_security_level
<http://www.postfix.org/postconf.5.html#smtpd_tls_security_level> = may".

Example:

/etc/postfix/main.cf <http://www.postfix.org/postconf.5.html>:
smtpd_tls_security_level
<http://www.postfix.org/postconf.5.html#smtpd_tls_security_level> =
may

With this, the Postfix SMTP server announces STARTTLS support to remote
SMTP clients, but does not require that clients use TLS encryption.

I think this is the correct solution? Would this require an SSL cert?

Thanks

Re: Offering STARTTLS in postfix. need help!

By Viktor Dukhovni at 01/12/2018 - 17:06

Yes, of course. See:

<a href="http://www.postfix.org/TLS_README.html#quick-start" title="http://www.postfix.org/TLS_README.html#quick-start">http://www.postfix.org/TLS_README.html#quick-start</a>

and if your Postfix release is older than Postfix 3.1, in particular:

<a href="http://www.postfix.org/TLS_README.html#self-signed" title="http://www.postfix.org/TLS_README.html#self-signed">http://www.postfix.org/TLS_README.html#self-signed</a>

Re: Offering STARTTLS in postfix. need help!

By Sean Son at 01/12/2018 - 17:35

On Fri, Jan 12, 2018 at 4:06 PM, Viktor Dukhovni <postfix- ... at dukhovni dot org

Thanks

Re: Offering STARTTLS in postfix. need help!

By Sean Son at 01/15/2018 - 23:49

Hello all

Is it possible to use a Wildcard cert with Postfix? Or does it have to be a
cert for an exact FQDN?

Thanks!

On Fri, Jan 12, 2018 at 4:35 PM, Sean Son < ... at gmail dot com>
wrote:

Re: Offering STARTTLS in postfix. need help!

By Benny Pedersen at 01/16/2018 - 00:01

Sean Son skrev den 2018-01-16 04:49:

both is supported in openssl

common praksis is imap.example.org and smtp.example.org with a wildcard
signed cert for *.example.org

Re: Offering STARTTLS in postfix. need help!

By Viktor Dukhovni at 01/16/2018 - 00:41

The rule is: there are no rules.

TLS in SMTP is largely unauthenticated opportunistic TLS, and the
content of the certificate is ignored by most peers, there just
needs to be a certificate for interoperability reasons, since
many peers don't enable anon-DH ciphersuites.

Thus the certificate name can be anything, but matching the MX hostname
is best. Wildcard certificates are best avoided simply because they are
likely to be misused for multiple services, increasing opportunities for
cross-protocol attacks or creating a single point of failure when cert
rotation is performed across all service instances that share the cert.

Re: Offering STARTTLS in postfix. need help!

By Sean Son at 01/16/2018 - 00:32

Thanks Benny!