On Sun, Sep 28, 2008, Erik de Castro Lopo wrote:
> How do I set up each end so only my authorized hosts can relay
> through my main server. Postfix seems to have TLS and SASL, but
> from my reading so far I can't really tell it these are a solution
> to my problem.
They're both a possible solution. The postconf(5) variables you're looking
for are permit_tls_clientcerts and/or permit_sasl_authenticated.
This is the basic idea:
smtpd_recipient_restrictions=
# permit mail from the machine itself and any other network or IP
# you've configured through mynetworks
permit_mynetworks,
# possibly
# permit_mx_backup,
permit_tls_clientcerts,
permit_sasl_authenticated,
# reject anything else not for a domain that Postfix knows about
# as either local or as an MX
reject_unauth_destination
You probably want to get this to happen on submission, 587, rather than 25, so
you can require that TLS be used. (You'd want that for SASL too, so that the
password is never sent in the clear.) This is done in /etc/postfix/master.cf on
the server:
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject # not supposed to happen on the
submission port per standards
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes # if you want to use SASL
-o
smtpd_client_restrictions=permit_mynetworks,permit_tls_clientcerts,permit_sasl_authenticated,reject
-o
smtpd_sender_restrictions=permit_mynetworks,permit_tls_clientcerts,permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_tls_clientcerts,permit_sasl_authenticated,reject
-o content_filter= # I don't do virus filtering on mail coming in on this
port, unlike for port 25 mail
# depends on how much you trust your users!
Since outside mail destined to end up at that server ought to come in on 25, I
just have a flat out reject rather than reject_unauth_destination.
I use TLS rather than SASL (because it means that I don't have to put a
password on the client side, but rather a certificate that I don't happen to
use for anything else except authenticating to mail servers, and you're going
to have to set up TLS anyway to encrypt the SASL).
On the server side this means adding to master.cf:
relay_clientcerts = hash:/etc/postfix/tls/relay_certs
smtpd_tls_fingerprint_digest = sha1 # it uses MD5 by default
and then having /etc/postfix/tls/relay_certs something like this:
AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA myclientname
(Where AA:... is the SHA1 fingerprint of the client's SSL cert.) Then run
"postmap /etc/postfix/tls/relay_certs" to update it with new clients or new
certificates.
On the client side this looks like:
relayhost = myserver.example.com:submission
On both client and server you want this in /etc/postfix/main.cf to tell it
where your keys and certificates are:
smtp_use_tls = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_key_file = /etc/postfix/tls/key.pem
smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtp_tls_key_file = /etc/postfix/tls/key.pem
smtp_tls_cert_file = /etc/postfix/tls/cert.pem
smtp_tls_CAfile = /etc/postfix/tls/cacert.pem
-Mary
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
