Setup Email Services on Debian 6 Using Postfix (TLS+SASL) and Dovecot:
Concept:
Are not TLS and SSL different encryption mechanisms?
There are two distinct ways that a program can initiate a secure connection with a server:
By Port:
By Protocol:
About Secure Mail Server:
You can use TLS/SSL to authenticate servers and clients and then use it to encrypt messages between the authenticated parties.
Dovecot as PoP3s-Port 995
Below are the checklist as prerequisite:
Please check your host record is Ok...
-----------------------------------------------
# vim /etc/hosts
=====================================================
127.0.0.1 localhost
127.0.1.1 mx.mithu.com mx
172.16.0.7 mx.mithu.com mx
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
====================================================
Check your debian squeeze source list is Ok...
--------------------------------------------------------
# vim /etc/apt/sources.list
===========================================================
deb http://ftp.debian.org/debian/ squeeze main
deb-src http://ftp.debian.org/debian/ squeeze main
deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main
===========================================================
Dont forget to update & upgrade:
-----------------------------------------
# apt-get update
# apt-get upgrade
Installation and Configuration:
For SSL Support in Debian SQUEEZE:
============================
# apt-get install openssl ssl-cert sasl2-bin libsasl2 libsasl2-modules
Next, let’s take care of certificates for TLS. You will be asked several questions during this process. Fill them in as you see fit.
# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl/
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
# chmod 600 smtpd.key
# openssl req -new -key smtpd.key -out smtpd.csr
# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
# mv -f smtpd.key.unencrypted smtpd.key
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
SASL Config:
Authentication will be done by saslauthd which will need to be configured to support a chrooted Postfix setup. Edit /etc/default/saslauthd and add or change the following settings so that they match:
# vim /etc/default/saslauthd
====================================================
START=yes
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
====================================================
Finish up SASL by creating the chroot directory, adding the postfix user to the sasl group
and then starting saslauthd.
# mkdir -p /var/spool/postfix/var/run/saslauthd
# dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
# adduser postfix sasl
and Finally restart sasl
# /etc/init.d/saslauthd start
Installing & configuring Postfix for TLS and SASL:
# apt-get install postfix
Edit the main.cf file as follows:(you should change Domain name and networks as to fit your organizational needs )
# vim /etc/postfix/main.cf
=====================================================================
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_type = cyrus
local_recipient_maps =
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mx.mithu.com
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/aliases
access_maps = hash:/etc/postfix/access
transport_maps = hash:/etc/postfix/transport
myorigin = /etc/mailname
mydestination = mx.mithu.com, mx, localhost.mithu.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 , 10.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
mailbox_command =
=====================================================================
Now edit the master.cf file as follows:
commet out smtp and Paste smpts lines as follows:
====================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ===================================================================
#smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_sender=yes
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes
===================================================================
Now create a file named smptd.conf and paste the following lines:
================================================================
# vim /usr/lib/sasl2/smtpd.conf
============================
pwcheck_method: saslauthd
mech_list: plain login
============================
Important:
Using Port 587 for Secure Submission
===========================
If you want to use port 587 as the submission port for SMTP mail rather than 25 (many ISPs block port 25)
you will need to edit /etc/postfix/master.cf and uncomment the line
----------------------------------------------------------------------
| submission inet n - n - - smtpd |
----------------------------------------------------------------------
Testing:
At this point, core email services should be up and running.
Let’s make sure that you’re in good shape before moving on. First, establish a connection with the mail server.
===========================================
root@mx:/# telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mx.mithu.com ESMTP Postfix (Debian/GNU)
ehlo mithu
250-mx.mithu.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
============================================
If you see the following lines among others, then everything is working perfectly. Type quit to exit.
=====================
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
====================
Installing & configuring Dovecot:
# apt-get install dovecot*
now we will configure dovecot....(Uncomment some of the following lines and change their values)
# vim /etc/dovecot/dovecot.conf
============================================
protocols = imap imaps pop3 pop3s
auth_debug = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
disable_plaintext_auth = yes
pop3_uidl_format = %08Xu%08Xv
============================================
~~~~~~
N.B.R.
~~~~~~
Configure Dovecot for your mailbox format use (for maildir): {If mbox format used nothing to add in main.cf}
mail_location = maildir:~/Maildir
Do these steps ONLY if you want Maildir. This setup will put the Maildir in each user's home directory.
If you are using Postfix as your MTA, then add the following line to your /etc/postfix/main.cf file:
# vim /etc/postfix/main.cf
---------------------------
home_mailbox = Maildir/
---------------------------
Edit /etc/dovecot/dovecot.conf:
mail_location = maildir:/home/%u/Maildir
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
@@@ Great Job!!!! we have done..Lets check it with Outlook express.....@@@@
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
While configuring Outlook express (Keep in mind):
We have to go advanced mail setup on Advanced Tab.
>> Server Port Numbers
~ Outgoing mail (SMTP) 465
~ Incomming mail(POP3) 995
~ Give tick mark [v] on This Server requires SSL (Option)
Concept:
Are not TLS and SSL different encryption mechanisms?
If you setup an email program you will often see separate options for “no encryption”, “SSL”, or “TLS” encryption of you transmission. This leads one to assume that TLS and SSL are different things.
In truth, this labeling is a misnomer. You are not actually selecting which method to use (SSL v3 or TLS v1.x) when making this choice. You are merely selecting between options that dictate how the secure connection will be initiated.
No matter which method you choose, TLS or SSL, the same level of encryption will be obtained when talking to the server and that level is determined by the software installed on the server, how that is configured, and what your program actually supports. If the SSL vs TLS choice is not one of security, what is it?
There are two distinct ways that a program can initiate a secure connection with a server:
By Port:
Connecting to a specific port means that a secure connection should be used. For example, port 443 for https (secure web), 993 for secure IMAP, 995 for secure POP, etc. These ports are setup on the server ready to negotiate a secure connection first, and do whatever else you want second.
By Protocol:
These connections first begin with an insecure “hello” to the server and only then switch to secured communications after the handshake between the client and the server is successful. If this handshake fails for any reason, the connection is severed. A good example of this is the command “STARTTLS” used in outbound email (SMTP) connections.
About Secure Mail Server:
Now a days postfix and dovecot are most famous and widely used Mailserver config packages. Postfix is used as MTA to send & receive mail and dovecot is used for poping the mail from mailbox in the server. By default postfix listens on 25 and dovecot listen 110 i.e. all of which we know as plain text (not encrypted). As security threats are widely spreaded One problem when you administer a network is securing data that is being sent between applications across an untrusted network.
You can use TLS/SSL to authenticate servers and clients and then use it to encrypt messages between the authenticated parties.
Here is a guide on getting Email services running on Debian Squeeze. I used Postfix for core services
(SMTP wtih TLS and SASL) and Dovecot for fast & secure IMAP and POP3. Both of these packages will work secure port which means
Postfix as SMTPs-Port 465Dovecot as PoP3s-Port 995
Below are the checklist as prerequisite:
Please check your host record is Ok...
-----------------------------------------------
# vim /etc/hosts
=====================================================
127.0.0.1 localhost
127.0.1.1 mx.mithu.com mx
172.16.0.7 mx.mithu.com mx
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
====================================================
Check your debian squeeze source list is Ok...
--------------------------------------------------------
# vim /etc/apt/sources.list
===========================================================
deb http://ftp.debian.org/debian/ squeeze main
deb-src http://ftp.debian.org/debian/ squeeze main
deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main
===========================================================
Dont forget to update & upgrade:
-----------------------------------------
# apt-get update
# apt-get upgrade
Installation and Configuration:
For SSL Support in Debian SQUEEZE:
============================
# apt-get install openssl ssl-cert sasl2-bin libsasl2 libsasl2-modules
Next, let’s take care of certificates for TLS. You will be asked several questions during this process. Fill them in as you see fit.
# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl/
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
# chmod 600 smtpd.key
# openssl req -new -key smtpd.key -out smtpd.csr
# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
# mv -f smtpd.key.unencrypted smtpd.key
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
SASL Config:
Authentication will be done by saslauthd which will need to be configured to support a chrooted Postfix setup. Edit /etc/default/saslauthd and add or change the following settings so that they match:
# vim /etc/default/saslauthd
====================================================
START=yes
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
====================================================
Finish up SASL by creating the chroot directory, adding the postfix user to the sasl group
and then starting saslauthd.
# mkdir -p /var/spool/postfix/var/run/saslauthd
# dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
# adduser postfix sasl
and Finally restart sasl
# /etc/init.d/saslauthd start
Installing & configuring Postfix for TLS and SASL:
# apt-get install postfix
Edit the main.cf file as follows:(you should change Domain name and networks as to fit your organizational needs )
# vim /etc/postfix/main.cf
=====================================================================
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_type = cyrus
local_recipient_maps =
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mx.mithu.com
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/aliases
access_maps = hash:/etc/postfix/access
transport_maps = hash:/etc/postfix/transport
myorigin = /etc/mailname
mydestination = mx.mithu.com, mx, localhost.mithu.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 , 10.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
mailbox_command =
=====================================================================
Now edit the master.cf file as follows:
commet out smtp and Paste smpts lines as follows:
====================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ===================================================================
#smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_sender=yes
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes
===================================================================
Now create a file named smptd.conf and paste the following lines:
================================================================
# vim /usr/lib/sasl2/smtpd.conf
============================
pwcheck_method: saslauthd
mech_list: plain login
============================
Important:
Using Port 587 for Secure Submission
===========================
If you want to use port 587 as the submission port for SMTP mail rather than 25 (many ISPs block port 25)
you will need to edit /etc/postfix/master.cf and uncomment the line
----------------------------------------------------------------------
| submission inet n - n - - smtpd |
----------------------------------------------------------------------
Testing:
At this point, core email services should be up and running.
Let’s make sure that you’re in good shape before moving on. First, establish a connection with the mail server.
===========================================
root@mx:/# telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mx.mithu.com ESMTP Postfix (Debian/GNU)
ehlo mithu
250-mx.mithu.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
============================================
If you see the following lines among others, then everything is working perfectly. Type quit to exit.
=====================
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
====================
Installing & configuring Dovecot:
# apt-get install dovecot*
now we will configure dovecot....(Uncomment some of the following lines and change their values)
# vim /etc/dovecot/dovecot.conf
============================================
protocols = imap imaps pop3 pop3s
auth_debug = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
disable_plaintext_auth = yes
pop3_uidl_format = %08Xu%08Xv
============================================
~~~~~~
N.B.R.
~~~~~~
Configure Dovecot for your mailbox format use (for maildir): {If mbox format used nothing to add in main.cf}
mail_location = maildir:~/Maildir
Do these steps ONLY if you want Maildir. This setup will put the Maildir in each user's home directory.
If you are using Postfix as your MTA, then add the following line to your /etc/postfix/main.cf file:
# vim /etc/postfix/main.cf
---------------------------
home_mailbox = Maildir/
---------------------------
Edit /etc/dovecot/dovecot.conf:
mail_location = maildir:/home/%u/Maildir
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
@@@ Great Job!!!! we have done..Lets check it with Outlook express.....@@@@
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
While configuring Outlook express (Keep in mind):
We have to go advanced mail setup on Advanced Tab.
>> Server Port Numbers
~ Outgoing mail (SMTP) 465
~ Incomming mail(POP3) 995
~ Give tick mark [v] on This Server requires SSL (Option)
Vaiya asshalaikum apnar moto hotay chi
ReplyDeletevaiya asolai kotha ta hocchay j mikrotik r expired bandwidth youtube & facebook a ki vabay throw kora jay tar jodi ak ta video ditan kub kusi hotam ^_^