Difference between revisions of "Postfix cert based relay"
(Created page with "In order to securely allow roaming smtp clients to relay through a postfix smtp server one common setup is using SASL authentication in combination with starttls and a (usuall...") |
(→server main.cf) |
||
Line 10: | Line 10: | ||
in order to allow relaying we need to have some settings in place: | in order to allow relaying we need to have some settings in place: | ||
+ | === starttls === | ||
<pre> | <pre> | ||
# TLS SERVER settings | # TLS SERVER settings | ||
Line 16: | Line 17: | ||
smtpd_use_tls = yes | smtpd_use_tls = yes | ||
+ | </pre> | ||
+ | |||
+ | === local cert and key === | ||
+ | in this case I use the excellent startssl.com free certificates because they are trusted by most devices and they are free. The smtpd_tls_cert_file has the startssl chain cert (just cat your.cert startssl.crt > postfix.crt to get it). | ||
+ | |||
+ | The smtpd_tls_key_file should be readonly for root. I share this key with apache, so it is alse readonly for apache, but not for the rest (440 perms). | ||
+ | <pre> | ||
# local cert | # local cert | ||
smtpd_tls_key_file = /etc/pki/tls/private/startssl_asenjo_nl.key | smtpd_tls_key_file = /etc/pki/tls/private/startssl_asenjo_nl.key | ||
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix_certchain.crt | smtpd_tls_cert_file = /etc/pki/tls/certs/postfix_certchain.crt | ||
+ | </pre> | ||
+ | === trusted CA bundly file === | ||
+ | centos sets it here: | ||
+ | <pre> | ||
# CA bundle | # CA bundle | ||
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt | smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt | ||
+ | </pre> | ||
+ | === entropy generator , logs, headers === | ||
+ | <pre> | ||
# random source generator | # random source generator | ||
tls_random_source = dev:/dev/urandom | tls_random_source = dev:/dev/urandom | ||
Line 36: | Line 51: | ||
# add tls header info | # add tls header info | ||
smtpd_tls_received_header = yes | smtpd_tls_received_header = yes | ||
+ | </pre> | ||
+ | === tls caching, tls ciphers === | ||
+ | <pre> | ||
# tls session cache | # tls session cache | ||
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_cache | smtpd_tls_session_cache_database = btree:$data_directory/smtpd_cache |
Revision as of 20:40, 22 July 2015
In order to securely allow roaming smtp clients to relay through a postfix smtp server one common setup is using SASL authentication in combination with starttls and a (usually virtual) user database.
There are plenty of info about how to set that up so I will not do it here.
What not many people know is that you can setup postfix to allow relaying using a certificates (PKI).
Postfix has two ways of allowing relaying with certificates, but here I will only specify one.
Contents
server main.cf
in order to allow relaying we need to have some settings in place:
starttls
# TLS SERVER settings # offer tls to clients smtpd_use_tls = yes
local cert and key
in this case I use the excellent startssl.com free certificates because they are trusted by most devices and they are free. The smtpd_tls_cert_file has the startssl chain cert (just cat your.cert startssl.crt > postfix.crt to get it).
The smtpd_tls_key_file should be readonly for root. I share this key with apache, so it is alse readonly for apache, but not for the rest (440 perms).
# local cert smtpd_tls_key_file = /etc/pki/tls/private/startssl_asenjo_nl.key smtpd_tls_cert_file = /etc/pki/tls/certs/postfix_certchain.crt
trusted CA bundly file
centos sets it here:
# CA bundle smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
entropy generator , logs, headers
# random source generator tls_random_source = dev:/dev/urandom # log level tls # 0 default no logging # 1 startup and cert info # 2: 1 + info on tls negotiation # 3: 2 + hex and ascii dumps negotiation # 4: 3 + hex and ascii dumps trasnmission after client starttls smtpd_tls_loglevel = 1 # add tls header info smtpd_tls_received_header = yes
tls caching, tls ciphers
# tls session cache smtpd_tls_session_cache_database = btree:$data_directory/smtpd_cache smtpd_tls_session_cache_timeout = 3600s # disable insecure ciphers smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3