Authenticated relaying using Postfix
Michael Richardson
Sandelman Software Works Corporation
(page 1)
Requirements
- need to send email from laptop
- must avoid sending directly from dialup (due to RBL/DUL)
- must avoid turning office machine into open relay
- SSH port-forward tunnels are annoying
- need to work around Bell Nexxia/Uunet port-25 blocks!
(page 2)
Postfix on server - SSL things
Server side config file
- smtpd_tls_cert_file = /etc/openssl/certs/pike.crt
- smtpd_tls_key_file = /etc/openssl/private/pike.pem
- smtpd_tls_CAfile = /etc/openssl/certs/cacert.pem
- smtpd_tls_loglevel = 2
- smtpd_use_tls = yes
- smtpd_tls_ask_ccert = yes
(page 3)
Postfix on client - SSL things
Server side config file
- relayhost = pike.sandelman.ca:26
- smtp_tls_cert_file = /etc/postfix/client.pem
- smtp_tls_key_file = $smtp_tls_cert_file
- smtp_tls_CAfile = /etc/postfix/CAcert.pem
- smtp_tls_note_starttls_offer = yes
- smtp_tls_loglevel=2
- smtp_use_tls = yes
- smtp_enforce_tls = yes
- masquerade_domains = sandelman.ottawa.on.ca
(page 4)
Postfix on server - authenticate relaying
- smtpd_client_restrictions = permit_mynetworks,
- permit_tls_all_clientcerts,
- permit_tls_clientcerts,
- permit_mx_backup
- smtpd_recipient_restrictions = permit_mynetworks,
- permit_tls_all_clientcerts,
- reject_unauth_destination
- relay_clientcerts = hash:/usr/pkg/etc/postfix/relayclients
- #debug_peer_level = 10
- #debug_peer_list = 205.150.200.232
- #debug_peer_list = [2002:c08b:2e81:1:2c0:4fff:fe2e:2834]
(page 5)
Creating certificates
Certificate creation
- client# openssl genrsa -out oceania.pem 1024
- client# openssl req -new -key oceania.pem -out oceania.req
- server#./SSWCA -signreq req/stephenson.req
- Using configuration from /corp/security/certs/openssl.cnf
- Enter PEM pass phrase:
- Check that the request matches the signature
- Signature ok
- The Subjects Distinguished Name is as follows
- countryName :PRINTABLE:'CA'
(page 6)
Postfix on server - relayclients
cat /etc/postfix/relayclients
A2:7C:4C:3D:FA:2B:1A:49:7D:F4:C0:A7:62:2E:52:4B OK
Create table with "postmap hash /etc/postfix/relayclients"