David Fitch wrote:
O Plameras wrote:
Firstly, I assume you have postfix running as distributed without SASL/TLS.
yes
If so, I suggest that you test each of the major components, SASL and TLS
(or OPENSSL) to ensure that you have them setup correctly before
combining them to work in Postfix. This is the part that's left out by
the HOWTO's on the Net.
sounds a good idea
[snip] I don't have these programs: sasl2-sample-server, sasl2-sample-client
These programs usually come installed with cyrus-sasl2. It is highly recommended you get hold of these programs and test your SASL setup. These two programs will give you confidence that when there is a setup problem it is not due to your SASL setup.
also I'm only trying to setup postfix as a server so mail clients can smtp/relay to it remotely. I don't need postfix to be a client to another server.
These two programs above simply ensures that your SASL are installed and functioning correctly. There is no suggestion that your server has to be an SMTP client too. It is just to test that SASL installation is correct and functioning correctly.
2. After you generated your CA cert, Server cert, and Cert Key and re-configure your Postfix with these certificates, then run following tests a. and b. on your Postfix.server with: -
a. openssl s_client -connect localhost:465 -showcerts -state \ -CAfile /etc/postfix/cacert.pem
assuming 'cacert.pem' is your root certificate filename.
This should return towards the end something like: - ........................ <SNIPPED> Verify return code: 0 (ok)
no, I get:
#openssl s_client -connect localhost:465 -showcerts -state -CAfile /etc/ssl/server.pem
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 271CBA7DF3D680633B9D6B663667DE61B14DC3EAC5A9E03FDD8A55BB605CCB76
Session-ID-ctx:
Master-Key: 6DF3BE079F1A1DD377FA49EDF1709F1C50ABAE826E6BC78DCF6D1A89F84302E5191B540616E36494EEAD2189FA66B5CA
Key-Arg : None Start Time: 1115024986 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
The file, /etc/ssl/server.pem, apparently is not the correct file. That's why
you get a return code: 21.
but hang on, I've got another .pem I created before as well which does work:
#openssl s_client -connect localhost:465 -showcerts -state -CAfile /etc/ssl/demoCA/cacert.pem
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 8ECB434C370AE7A8E00366A802E53CA2B972FD2081AB561672A9B37E55E04F36
Session-ID-ctx:
Master-Key: 3B97C09319C724CF45891FA48B2D69BC7EA22EBB61DB106E138AE6AF97B789CDD53EA27B32429DC7A5E20D4B040EE33F
Key-Arg : None Start Time: 1115025345 Timeout : 300 (sec) Verify return code: 0 (ok)
So, this one above is the correct CA root certificate. But I suggest it to be changed as I've shown below.
in my postfix main.cf I've got:
# enable authenticated smtp for mail clients smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous #smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = yes smtpd_use_tls = yes #smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/server.pem smtpd_tls_cert_file = /etc/ssl/server.pem smtpd_tls_CAfile = /etc/ssl/server.pem
Your test previously has indicated that these files are incorrect. You need to re-point these to the correct files. See down below.
smtpd_tls_loglevel = 2 smtpd_use_pw_server = yes smtpd_pw_server_security_options = plain, login smtpd_sasl_authenticated_header = yes #smtp_sasl_password_maps = yes smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
it now looks apparent the key, cert and CAfile are wrong.
I generated them with the following instructions:
--- # First create a CA key and certificate: openssl req -new -x509 -keyout ca.key -out ca.crt -days 4096 -nodes
# Now create a server key & certificate request openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr
# Now make the CA infrastructure: mkdir -p demoCA/private cp ca.crt demoCA/cacert.pem
Do not do the above line.
cp ca.key demoCA/private/cakey.pem
Do not do the above line.
mkdir demoCA/newcerts touch demoCA/index.txt echo "01" > demoCA/serial
After the above procedure insert these: openssl -new -x509 -keyout demoCA/private/cakey.pem \ -out demoCA/cacert.pem -days 365
# And sign your server certificate openssl ca -policy policy_anything -in server.csr -out server.crt
# Then combine the server and server certificate into a single PEM encoded file
cat server.key server.crt > server.pem
Do not do the above. Instead, do a request for a key, as follows:
openssl -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem -days 365
then sign it, as follows: openssl -policy policy_anything -out newcert.pem -infiles newreq.pem
cp demoCA/cacert.pem /etc/ssl/cacert.pem cp newreq.pem /etc/ssl/serverkey.pem cp newcert.pem /etc/ssl/servercrt.pem
Now, in your main.cf file: .......... smtpd_tls_key_file = /etc/ssl/serverkey.pem smtpd_tls_cert_file = /etc/ssl/servercrt.pem smtpd_tls_CAfile = /etc/ssl/cacert.pem ..........
---
is that the recommended way to do it?
No, this is not the recommended way. In fact it is discouraged. With this method,
you reveal your secrets; hardly a security at all.
O Plameras
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
