How To Install and Configure postfix and Postfix Restrictions and Postfix SASL & SSL/TLS on Centos

1. Introduction

This article is geared toward beginners World Health Organization would like to line up a basic email server. Basic system administration information would be a plus and therefore the ability to put in package and edit configuration files is crucial. The article was written for CentOS five however ought to be equally applicable to earlier versions. Later versions might dissent.

There area unit many various situations ANd combos which will be used once fitting an email server (far to several to hide here), thus this text makes some basic selections for you, like the package we'll use (postfix and dovecot). alternative choices area unit needed to be altered by the user, like your network addresses and domain names. additional advanced choices like virtual domains and users area unit outside the scope of this text and can not be lined herein.

This article uses suffix because the mail transport agent (MTA), as hostile sendmail, the default MTA for CentOS five (postfix is that the default in CentOS 6). Dovecot is employed to permit users to access their email by either imap or pop protocols. we have a tendency to assume a site name of that ought to be modified by the reader and might be either a true name for a completely qualified email server or a pretend name if you merely would like to implement an enclosed mail server. we have a tendency to assume that the physical mail server (host) is and is found at the non-public information science address (this ought to be modified to suit the readers needs). the e-mail server can offer email accounts via normal user system accounts and users can access their email victimization their system account username and countersign. we'll assume a user known as John Smith World Health Organization encompasses a system account below the login name of john.

2. Installation

The first issue we want to try and do is install the requisite package. the simplest thanks to try this is with yum from the command line:

yum install suffix dovecot system-switch-mail system-switch-mail-gnome
Yum ought to mechanically resolve any dependencies. Dovecot depends on mysql and perl, thus these can probably be put in too if they're not already put in on the system.

Alternatively, we will skip 'system-switch-mail' and 'system-switch-mail-gnome' installation and take away the default MTA 'sendmail', this can build 'postfix' the default MTA in our system.

yum install suffix dovecot 
yum take away sendmail
Please note that the default MTA in CentOS five is sendmail. If you are doing not build suffix the default MTA, change suffix might cause the default MTA to revert to sendmail.

3. Configuration

Next we want to assemble the varied components of our email server.

3.1. Postfix
Postfix configuration files area unit hold on in /etc/postfix. the 2 main suffix configuration files area unit and, though we'll solely be handling here. initial we have a tendency to area unit reaching to build some additions or changes to the configuration file. the subsequent lines ought to be additional, altered or uncommented:

myhostname =
mydomain =
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks =,
relay_domains =
home_mailbox = Maildir/
Note: every line ought to begin at the start of a replacement line and may not be preceded by white house or tabs. White house or tabs at the start of a line area unit treated as a continuation of the previous line, and if the previous line may be a comment (#) line then the following line is additionally treated in and of itself. Further, inline comments ought to be avoided.

Now lets take a glance at every setting it communicate perceive what we've simply done:

myhostname: is that the host name of the system (i.e, the system is termed mail or

mydomain: is that the name for the e-mail server (it is a true or pretend domain name).

myorigin: is that the name that locally-posted email seems to possess return from and is delivered to.

inet_interfaces: sets the network interfaces that suffix will receive mail on. These have to be compelled to embody a minimum of nativehost and therefore the local domain.

mydestination: is that the list of domains that may be delivered to (i.e, this server is that the final destination for email addressed  to those domains).

mynetworks: may be a list of trusty information science addresses which will send or relay mail through the server. Users making an attempt to send email through the server originating from information science addresses ex-directory here are going to be rejected.

relay_domains: may be a list of destination domains this technique can relay mail to. By setting it to be blank we have a tendency to make sure that our mail server is not acting as AN open relay for untrusted networks. The reader is suggested to check that their system is not acting as AN open relay here:

home_mailbox: sets the trail of the mailbox relative to the users home directory and conjointly specifies the fashion of mailbox to be used. suffix supports each Maildir and mbox formats and browseers area unit inspired to read abreast of the deserves of every for themselves. However, during this article we've chosen to use Maildir format (a trailing slash indicates Maildir format. To specify mbox format, the reader would use home_mailbox = Mailbox).

3.2. Dovecot
The dovecot configuration file is found at /etc/dovecot.conf. the subsequent lines ought to be additional, altered or uncommented:

protocols = imap imaps pop3 pop3s
mail_location = maildir:~/Maildir
pop3_uidl_format = %08Xu%08Xv
# needed on x86_64 kernels
login_process_size = sixty four
Again, gazing every option:

protocols: specifies the protocols accessible to users to access their email. Dovecot supports imap(s) and pop3(s), and any or all could also be used.

mail_location: specifies the format and site of every users mailbox. Here we have a tendency to see we have a tendency to area unit victimization maildir format and every user has their mailbox set at ~/Maildir. Examples for mbox format area unit provided within the configuration file.

pop3_uidl_format: is needed to repair a tangle with Outlook 2003 accessing mailboxes via pop3 thus it is sensible to line this (see the notes within the configuration file for additional details).

login_process_size: the discharge notes for CentOS five.1 state that "the Dovecot package on x86_64 kernels needs the parameter "login_process_size = 64" to be additional to /etc/dovecot.conf once AN upgrade to CentOS five.1". 32-Bit installations area unit unaffected and don't need this setting.

Note: If you have got any problems connecting with either imap or pop3 to dovecot, check the IMAP specific settings and POP3 specific settings sections of the dovecot.conf configuration file for workarounds. The accessible choices principally have an effect on older mail shoppers and workarounds for Microsoft Outlook and Outlook categorical.

Note on dovecot and C6: With CentOS half-dozen the configuration enraptured to /etc/dovecot/dovecot.conf. Dovecot is started with none additional changes to the configuration file and can mechanically listen for connections on the ports for pop3(s) and imap(s). Changes to suite your atmosphere can in all probability be needed.

3.3. produce users mailboxes
Next we want to form a mailbox for every user in their home directory and set the acceptable permission, thus victimization our example user john:

mkdir /home/john/Maildir
chown john:john /home/john/Maildir
chmod -R 700 /home/john/Maildir 
Note: If making the user mailboxes as root then we have a tendency to should set possession of the directory to the user.

3.4. Aliases
We area unit nearly finished. we've AN email account established for our user John Smith World Health Organization logs in as john. His email address would be . However, John might wish to receive email as (or the other alias). we will succeed this by setting AN alias for John victimization the system alias file (by default suffix uses /etc/aliases). we will conjointly add aliases for alternative users, thus as an example we have a tendency to might conjointly direct root's email to John by adding the subsequent to /etc/aliases:

# one that ought to get root's mail
root:           john
# User aliases
jsmith:         john
j.smith:        john
If you edit the aliases file to line up new aliases for users once suffix is running, you want to build the aliases info by running the newaliases command.

4. beginning the server

We area unit currently able to kindle our new email server. initial we want to inform our system to use suffix because the MTA instead of the default sendmail. To do this, run the system-switch-mail command and choose suffix because the MTA. this can install the suffix service and set it to begin mechanically at runlevels three, 4, and 5. Next we want to line the dovecot service to conjointly mechanically begin at runlevels three, 4, and 5, and begin each services:

chkconfig --level 345 dovecot on
/etc/init.d/dovecot begin
/etc/init.d/postfix begin
at that purpose you must be up and running. Your email server ought to don't have any bother causation and receiving email internally and causation external email. To receive external email on your domain, you'll conjointly have to be compelled to assemble magnetic flux unit records in DNS for your domain (ideally a PTR rDNS entry ought to even be designed through your ISP mapping your information science address to your domain). remember to open any needed ports on your UNIX firewall relying what services you're running (SMTP 25; POP3 110; IMAP 143; IMAPS 993; POP3S 995) and modify port forwarding for those ports on any routers.

If you create any changes to the suffix configuration file, you'll be able to either restart the suffix service or run the suffix reload command to update the changes.

5. Summary

Postfix is an especially powerful and versatile mail transport agent. during this article we've seen the way to implement a basic email server victimization suffix and dovecot for one domain supported system user accounts. we've barely damaged the surface of actuality capabilities of a postfix-based system, however hopefully have provided a solid operating foundation on that new users will build.

Postfix Restrictions

Note: This guide is for CentOS five. The syntax for a few restrictions has modified between suffix v2.2 and v2.3 enclosed with CentOS four and CentOS five, severally. CentOS four users ought to check the syntax of the helo restrictions. See here:

1. Introduction

If you have got followed the fundamental suffix guide you may have an easy suffix email server up and running that's capable of causation and receiving email. However, you may most likely have detected that your suffix email server is receiving all email, unrestricted, together with spam. Spam, otherwise referred to as unsought Bulk Email (UBE) or unsought industrial Email (UCE) is calculable to represent in far more than eightieth of all email sent over the web and intrinsically represents a serious challenge to any email master. This guide can examine a number of the restrictions obtainable in suffix for combating spam and is intended to be standard in nature specified {it may|it's going to|it ought to} be enforced additionally to the fundamental suffix guide should the reader therefore want.

2. suffix and Spam

The Internet is essentially engineered on a policy of trust and UBE abuses that trust to permit the delivery of huge amounts of spam. once putting any variety of restrictions on email we tend to area unit deviating from the policy of trust and intrinsically additionally risk limiting or obstruction legitimate email. thence we should always be conservative within the restrictions we tend to apply and may check and monitor them totally. Your users can many thanks for limiting the quantity of spam they see however they'll not many thanks for obstruction legitimate email.

We area unit getting to use three totally different suffix restriction categories to look at the knowledge provided to our email server by any connecting client:

Luckily for United States, several spammers do not trouble to closely follow RFC tips and that we will use these restriction categories to spot obvious spam on it basis and reject it before it enters our email server. Rejecting obvious spam before it enters our email server has the advantages of saving on information measure furthermore as reducing additional process overheads for our email server.

Restrictions work by process variety of rules that determines what action suffix can regard that message. doable outcomes area unit OK, REJECT or DUNNO. Restrictions area unit processed or evaluated within the order during which they're listed. If a rule returns a worth of REJECT then the message is instantly rejected while not additional process. If a rule returns a worth of OK, then additional process of that category of restrictions is stopped and therefore the next category of restrictions area unit evaluated till the message has either with success passed all restriction categories or is afterwards rejected by a later rule. So, as an example, a message could receive a worth of OK from Associate in Nursing smtpd_sender_restriction however should still be rejected by a resultant smtpd_recipient_restriction rule. Therefore, we want to offer careful thought to the order of our restriction rules. If the message isn't expressly rejected by any rule then the default policy is to simply accept the message.

To better perceive the various categories of restrictions and the way they apply, lets take a glance at the smtp method in additional detail as we tend to telnet into our email server and send an easy check message to ourselves:

telnet two5                           # Comments
Connected to (
Escape character is '^]'.
220 ESMTP suffix              # <-smtp_client_restrictions
HELO                           # <-smtp_helo_restrictions
250                            #
MAIL FROM:                     # <-smtp_sender_restrictions
250 2.1.0 Ok                                    #
RCPT TO:                       # <-smtp_recipient_restrictions
250 2.1.5 Ok                                    #
DATA                                            # <-smtp_data_restrictions
354 finish information with .             #
To:                            # <-header_checks
From:                          #
Subject:SMTP check                               #
This is a check message                          # <-body_checks
.                                               #
250 2.0.0 Ok: queued as 301AE20034
221 2.0.0 Bye
Connection closed by foreign host.
One of the most benefits of smtpd helo, sender and recipient restrictions area unit that they're evaluated and acted upon before the body of the e-mail is ever sent/received therefore potential spam is also rejected early within the smtp method while not overwhelming further information measure and/or process resources. It's most likely best that we tend to see some restrictions in action to raised perceive what every will. All restrictions area unit additional to the suffix configuration file placed at /etc/postfix/

3. Helo Restrictions

When a consumer system 1st connects to our email server, it's needed to identity itself exploitation the smtp HELO command. several spammers either try and either skip this step altogether, can send impossibly invalid data, or can deliberately try and change their identity to realize access. Either way, {we can|we will|we area unit able to} safely reject connections from shoppers that area unit severely mis-configured or that are deliberately obfuscating their identity.

# /etc/postfix/
# HELO restrictions:
smtpd_delay_reject = affirmative
smtpd_helo_required = affirmative
smtpd_helo_restrictions =
Note: suffix two.2 (CentOS 4) uses reject_non_fqdn_hostname and reject_invalid_hostname, severally.

The first line (smtpd_delay_reject) permits the smtp spoken communication to continue till the purpose of truly receiving the message before it's rejected, and is helpful as a result of it permits full sender and recipient data to be logged. it's additionally a demand for helo_restrictions. The second line (smtpd_helo_required) rejects email from any system that fails to spot itself.

Our smtpd_helo_restrictions begin at line three. permit_mynetworks tells suffix to simply accept connections from trusty machines outlined in mynetworks therefore email from our own trusty shoppers will not endure additional helo restriction checks. reject_non_fqdn_helo_hostname can reject connections if the hostname furnished  the HELO command isn't a completely qualified name pro re nata by the RFC tips. It ought to be utterly safe to reject association makes an attempt from shoppers that create no effort to properly determine themselves. Likewise, reject_invalid_helo_hostname can reject association makes an attempt once the HELO hostname syntax is invalid. Finally we tend to allow messages to proceed to subsequent stage of filtering.

One additional choice that's sometimes specified  is reject_unknown_helo_hostname which can reject messages if the hostname furnished  the helo command does not have either a sound DNS A or maxwell record. However, this setting ought to be used with caution because it can reject email from legitimate systems with temporary DNS issues and might cause false positives.

4. Sender Restrictions

The next step is to separate invalid senders with some sender restrictions:

# /etc/postfix/
# Sender restrictions:
smtpd_sender_restrictions =
Again, first we tend to permit email from senders on our own network (permit_mynetworks). subsequent 2 lines reject messages if the senders email address is deformed or nonexistent as there’s no real reason to simply accept mail from them. reject_non_fqdn_sender can reject email once the MAIL FROM address isn't in fully-qualified domain type pro re nata by the RFC. reject_unknown_sender_domain can reject email once the MAIL FROM address has neither a DNS A nor maxwell record, or once it's a deformed maxwell record like a record with a zero-length maxwell hostname. The response code for reject_unknown_sender_domain is 450 (try once more later) just in case of a short lived DNS error. Further, since the MAIL FROM address is that the address that bounce notifications should be sent to, it makes no sense to receive mail from Associate in Nursing unknown domain. the ultimate line permits each alternative message to maneuver on to subsequent part of filtering.

5. Recipient Restrictions

By this point, it’s clear that the consumer machine isn’t fully mis-configured which the sender stands a minimum of an opportunity of being legitimate. the ultimate step is to check that the consumer has permission to send to the given recipient and to use some external non-postfix checks to the tiny range of messages that create it this way.

# /etc/postfix/
# Recipient restrictions:
smtpd_recipient_restrictions =
   check_policy_service unix:postgrey/socket,
Postfix supports a way referred to as pipelining that hurries up bulk deliveries of email by causation multiple smtp commands promptly. The protocol needs that shoppers 1st make certain the server supports pipelining. several spammers send a series of commands while not watching for authorization, so as to deliver their messages as quickly as doable. reject_unauth_pipelining stops mail from mail package that improperly uses pipelining so as to hurry up deliveries.

The next few lines ought to be somewhat acquainted by currently and reject mail to domains that don’t exist or can’t exist. first we tend to reject email once the RCPT to deal with isn't in fully-qualified domain type (reject_non_fqdn_recipient) pro re nata by RFC then reject email once our email server isn't final destination for the recipient address, once the RCPT to deal with has no DNS A or maxwell record, or once it's a deformed maxwell record. The response code for reject_unknown_recipient_domain is 450 (try once more later) just in case of a short lived DNS error. Again, permit_mynetworks tells suffix to simply accept connections from native users on our network.

The next line, reject_unauth_destination, is critically vital because it tells suffix to not settle for messages with recipients at domains that aren't hosted domestically or that we tend to function a backup server for. while not this line, our server would be Associate in Nursing open relay.

The next setting, check_sender_access, permits United States to implement whitelisting and blacklisting of full or partial email addresses and domains as laid out in the MAIL FROM field against a specified  access table with a target of either OK or REJECT. 1st we tend to should produce our operation table, that during this case is that the plain document /etc/postfix/sender_access:

# /etc/postfix/sender_access
# Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
#    OK           REJECT
marketing@              REJECT
theboss@                OK     REJECT          OK
In the example higher than we will see that we will black or white list mail from totally qualified email addresses, usernames at any domain, or domains and partial domain names contained among the MAIL FROM field. Note that these area unit examples solely and usually you must not whitelist your own domain as spammers usually spoof the sender address to be that of your own domain. Once you have got created your sender_access file {you should|you want to|you need to} run the postmap command against it to form the indexed version that suffix can use (you must additionally repeat this whenever you alter the file):

postmap /etc/postfix/sender_access
That is the last of our internal suffix checks. The remaining checks either consult external sources or helper applications.

We next perform some period blacklist (RBL) checks. RBL's, additionally referred to as DNS Black Lists (DNSBL) area unit third party services that maintain an inventory of science addresses noted to be concerned in some variety of illicit activity like the distribution of spam or alternative undesirable content like viruses. The reject_rbl_client line causes suffix to perform a check against the listed info and can reject the message if it's from a noted unhealthy supply. as a result of such checks involve a DNS operation {they area unit|they're} comparatively "expensive" in terms of resources and therefore are best placed towards the top of our checks so the maximum amount spam as doable has already been eliminated to reduce the quantity that occur. Likewise, it additionally is smart to put the foremost effective lists 1st, once more minimizing the quantity of lookups that area unit required to reject a (spam) message.

There area unit several DNSBL's obtainable, what number and that you select to use is up to you, however you must monitor your logs on a daily basis to review their effectiveness (hint: install the suffix-pflogsumm package and use the pflogsumm command to investigate your postfix logs). we should always additionally acknowledge that exploitation DNSBL's starts to introduce the likelihood of false positives as we tend to area unit counting on the policy of the list friend for adding varlet addresses. Some area unit extremely effective, some block nearly nothing, et al. can block the maximum amount real mail as they are doing spam. For additional data and real time statistics on DNSBL's the reader is referred to:

The final check, check_policy_service, is employed to decision Associate in Nursing add on application or script, during this case postgrey guaranteed to a operating system socket. Postgrey may be extremely effective once it involves eliminating spam and there's a separate guide dedicated strictly to the installation of postgrey on a suffix email server. The scaner is powerfully inspired to read that guide next.

6. Summary

In this guide we've got seen however we will use suffix restrictions to reject mail from clearly mis-configured shoppers or people who otherwise don't have any business causation email to our server. The restrictions enforced area unit deliberately conservative with the intention of not inflicting false positives and may work well in any suffix installation. suffix restrictions, significantly rejecting helo hostnames in non totally qualified name type, will block the maximum amount as half-hour of spam and exploitation one or two sensible DNSBLs will block ninetieth or additional of the rest. Combined with additional filtering techniques like greylisting, it ought to be doable to separate the overwhelming majority of spam (~99%) before it enters the e-mail server therefore saving on information measure and process resources. This guide is intended to go with the fundamental suffix guide.

Postfix/dovecot SASL and SSL/TLS guide

1. Introduction

This guide is meant to go with the fundamental termination guide. it's written for CentOS five. Configuration can dissent for CentOS vi.

2. what's SASL and do i would like it?

By default, termination uses the $mynetworks parameter to manage access, i.e. World Health Organization will send or relay mail through the mail server. there's no alternative authentication performed aside from checking that the informatics address of the user attempting to send mail is an element of a sure network as per $mynetworks.

If area unit|you're} solely implementing a mail server wherever all of your users are supported identical network then it's unlikely that you just can got to use SASL or SSL/TLS. However, if there square measure mobile users that want to use the mail server while off from base, we'd like a mechanism to evidence them as sure users in order that they're able to send mail through the mail server.

SASL (Simple Authentication and Security Layer) provides a mechanism of authenticating users mistreatment their username and watchword. most likely the foremost standard implementation of SASL is provided by the prince SASL library, however dovecot conjointly has it’s own SASL implementation in-built, and as we tend to square measure already running dovecot we tend to could yet use it for SASL instead of having to put in and put together another package.

3. What concerning SSL/TLS?

So SASL is ready to produce a mechanism to evidence remote users by username and watchword World Health Organization want to send mail through the mail server. in addition, remote users square measure able to retrieve mail through IMAP and/or POP3 mechanisms provided by dovecot. However, we've got a haul in this these mechanisms square measure causation usernames and passwords in plain text across the net (SASL will support numerous encrypted authentication strategies like DIGEST-MD5 however these aren’t perpetually universally supported by email shopper software). This poses a security risk as anyone will probably intercept this data and steal login details therefore we'd like to inscribe the affiliation. SSL (Secure Sockets Layer), and additional recently TLS (Transport Layer Security), supply a mechanism to inscribe communications between 2 hosts, in our case our mail server and our remote shopper. SSL was renamed TLS by the IETF as of version three.1.

4. Configuring SASL in termination

To put together SASL in termination, we'd like to form the subsequent additions to /etc/postfix/

smtpd_sasl_auth_enable = affirmative
broken_sasl_auth_clients = affirmative
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
and add permit_sasl_authenticated to our smtpd_recipient_restrictions section of /etc/postfix/ (if you do not have a smtpd_recipient_restrictions section, then the subsequent example can work fine):

smtpd_recipient_restrictions =
Next we'd like to put together auth default within the authentication processes section of /etc/dovecot.conf. Uncomment and/or add the subsequent lines as necessary (be careful as this section is heavily commented, some entries exist already, others square measure commented out and wish uncommenting like socket listen):

auth default
    userdb passwd
    user = root
    socket listen {
      client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = termination
 cluster = termination
Restart dovecot and reload termination configuration setting:

service dovecot restart

5. Testing SASL

Now we've got SASL organized we'd like to check that it's operating properly. For the needs of testing and/or native security issues, it should even be helpful to limit $mynetworks to solely permit in order that we tend to could enforce SASL authentication, otherwise relaying from incorrectly organized native purchasers should still be allowable underneath the permit_mynetworks setting in smtpd_recipient_restrictions.

 Note: the subsequent paragraphs 'work too hard'. CentOS ships a selected tool, among associate degree openssl choice for testing this and far additional. See: man s_client that is mentioned here for a less complicated approach.

We can telnet into the server and plan to evidence mistreatment our username and watchword. However, our username and watchword should be Base64 encoded (note: our username and watchword is encoded, not encrypted, and it's trivial to rewrite therefore isn't secure at this stage). A Base64 encoded string of our username and watchword is also generated mistreatment perl as shown below (I used the user 'test' with watchword 'test1234' during this example)

$ perl -MMIME::Base64 -e 'print encode_base64("\000test\000test1234");'
For reference, our Base64 encoded string is also decoded with:

$ perl -MMIME::Base64 -e 'print decode_base64("AHRlc3QAdGVzdDEyMzQ=");'
For people who haven't got perl, there's a web Base64 encoder out there here.

Using our Base64 encoded string to check authentication:

$ telnet localhost twenty five
Connected to localhost.localdomain (
Escape character is '^]'.
220 ESMTP termination
250-SIZE 20480000
250 DSN
235 2.0.0 Authentication prosperous
221 2.0.0 Bye
Connection closed by foreign host.
If everything is functioning, ought to|we should always|we must always} see AUTH PLAIN LOGIN (and AUTH=PLAIN LOGIN) indicating that smtp auth is being offered by the mail server and that we should then be able to with success evidence mistreatment our Base64 encoded username and watchword.

Now we are able to put together our email purchasers to use authentication (username and password) once causation mail.

Thunderbird: Edit > Account Settings, and choose Outgoing Server (SMTP) within the manus pane. choose the smtp server and click on Edit, and within the Security and Authentication section, tick "Use name and password" and enter your User Name.

Outlook Express: Tools > Accounts > Mail tab > choose associate degree account and click on properties. Then on the Servers tab, underneath Outgoing Mail Server, tick "My server needs authentication".

If we tend to send a take a look at message and tail our maillog, forward everything is functioning, we must always currently see our email shopper documented mistreatment SASL:

tail -f /var/log/maillog
Mar eighteen 13:25:56 mail postfix/smtpd[22400]: connect from mail[]
Mar eighteen 13:26:02 mail postfix/smtpd[22400]: 105892006E: client=mail[], sasl_method=PLAIN, sasl_username=ned
Mar eighteen 13:26:02 mail postfix/cleanup[22404]: 105892006E: message-id=<>
Mar eighteen 13:26:02 mail postfix/qmgr[22338]: 105892006E: from=, size=518, nrcpt=2 (queue active)
Mar eighteen 13:26:02 mail postfix/smtpd[22400]: disconnect from mail[]
Mar eighteen 13:26:02 mail postfix/local[22405]: 105892006E: to=, relay=local, delay=0.26,
       delays=0.11/0.02/0/0.14, dsn=2.0.0, status=sent (delivered to maildir)
Mar eighteen 13:26:06 mail postfix/qmgr[22338]: 105892006E: removed
6. Generating SSL certificates

Before we are able to use SSL or TLS to inscribe our affiliation, we tend to should 1st generate the SSL certificates which will be accustomed determine the server and establish the secret writing protocol. SSL certificates carries with it a public and personal key try, and will either be self-signed or signed by a sure root certificate authority. you'll be able to freely get signed certificates from CAcert and there's a guide out there here. However, sadly CAcert is not presently enclosed as a sure root certificate authority on preferred internet browsers, email purchasers and operational systems, that the good thing about getting a CAcert signed certificate is somewhat diminished in this it will not mechanically be accepted as sure on several systems. whether or not you employ self-signed certificates or certificates signed by a sure root certificate authority can rely upon the meant usage of your server - if your users trust you, then self-signed certificates might be absolutely acceptable to you.

There square measure varied ways in which of generating SSL certificates mistreatment OpenSSL. you'll be able to use openssl directly or use one amongst the provided scripts like /etc/pki/tls/misc/CA or /usr/share/doc/dovecot-1.0/examples/ However, maybe the best technique for users new openssl is to use genkey and follow the on screen prompts.

Genkey is an element of the crypto-utils package and might be put in and run from the statement (as root). the subsequent example can generate a key try for the server that's valid for one year:

yum install crypto-utils
genkey --days 365
Follow the on screen prompts coming into data about your neighborhood. the foremost necessary entry is that the common name as this should match the name users can use to attach to the server. In our example, this could be, however it'll presumably be no matter name you have got entered in your dns maxwell record for your mail server. forward smtp and imap/pop3 services square measure running on identical server, then you'll be able to use identical certificates for each and purchasers would enter for each imap/pop3 and outgoing smtp server settings. If you have got separate smtp and imap/pop3 servers then you may got to produce separate certificates for every. Genkey also will offer you the choice to form a certificate linguistic communication request (CSR) must you want to get a signed certificate from a sure root certificate authority. Finally, you may be offered the choice to inscribe the non-public key with a passphrase. don't inscribe your non-public key otherwise whenever the server (or service) restarts it'll sit there expecting you to enter the passphrase that isn't terribly sensible on a foreign server!

The certificate key try square measure created within the following locations:

/etc/pki/tls/certs/  # public foregone conclusion
/etc/pki/tls/private/  # non-public key
You can leave the certificates in their current location or copy/move them elsewhere. The non-public key should be owned  and read/writable (0600) solely by root.

7. Configuring SSL/TLS in termination

Now we've got generated our certificates, we are able to put together termination to use them to inscribe SASL authentication sessions. we'd like to feature the subsequent to /etc/postfix/

smtpd_tls_security_level = could
smtpd_tls_key_file = /etc/pki/tls/private/
smtpd_tls_cert_file = /etc/pki/tls/certs/
# smtpd_tls_CAfile = /etc/pki/tls/root.crt
smtpd_tls_loglevel = one
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = affirmative
'smtpd_tls_security_level = may' replaces the recent 'smtpd_use_tls = yes' in termination two.3 and permits the employment of tls. we've got commented out smtpd_tls_CAfile however would use this setting to specify the certificate of any issuance root authority once mistreatment signed certificates. 'smtpd_tls_loglevel = 1' can log tls sessions to the termination mail log (setting to level zero turns off TLS work and level two is also helpful for debugging purposes). The smtpd_tls_session_cache settings cache TLS session keys for one hour between sessions and is suggested because of the comparatively high value of repeatedly negotiating TLS session keys for every affiliation.

The final setting, smtpd_tls_auth_only = affirmative, forces the employment of TLS for SASL authentication and can not permit plain text authentication to occur unless a SSL/TLS session has been established. (It is also helpful to commented out 'smtpd_tls_auth_only = yes' throughout take a look ating therefore we are able to test that SSL/TLS is functioning however still fall back to plain text SASL authentication if SSL/TLS fails).

Don't forget to reload termination configuration settings:

postfix reload
Now we are able to telnet into the server and check termination is giving TLS:

$ telnet localhost twenty five
Connected to localhost.localdomain (
Escape character is '^]'.
220 ESMTP termination
250-SIZE 20480000
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.
If everything is functioning obviously, we must always see the server giving STARTTLS and since we've got specified  'smtpd_tls_auth_only = yes', plain text SASL authentication (AUTH PLAIN LOGIN and AUTH=PLAIN LOGIN) is not any longer out there.

Finally we'd like to put together our email purchasers to use secret writing once causation mail:

Thunderbird: Edit > Account Settings, and choose Outgoing Server (SMTP) within the manus pane. choose the smtp server and click on Edit, and within the Security and Authentication section, underneath "Use secure connection" choose TLS (or "TLS, if available")

Outlook Express: Tools > Accounts > Mail tab > choose associate degree account and click on properties. Then on the Advanced tab, underneath Outgoing Mail (SMTP), tick "This server needs a secure affiliation (SSL)".

If we tend to send a take a look at message and tail our maillog, forward everything is functioning, we must always currently see a TLS session established that encrypts the following SASL authentication:

tail -f /var/log/maillog
Mar twenty one 01:51:42 jessie postfix/smtpd[1893]: connect from unknown[]
Mar twenty one 01:51:42 jessie postfix/smtpd[1893]: fixing TLS affiliation from unknown[]
Mar twenty one 01:51:44 jessie postfix/smtpd[1893]: TLS affiliation established from unknown[]:
       TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar twenty one 01:51:44 jessie postfix/smtpd[1893]: D756E2006F: client=unknown[], sasl_method=PLAIN, sasl_username=ned
Mar twenty one 01:51:44 jessie postfix/cleanup[1897]: D756E2006F: message-id=<>
Mar twenty one 01:51:44 jessie postfix/qmgr[711]: D756E2006F: from=, size=511, nrcpt=2 (queue active)
Mar twenty one 01:51:45 jessie postfix/local[1898]: D756E2006F: to=, relay=local, delay=0.17,
       delays=0.13/0.02/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
Mar twenty one 01:51:45 jessie postfix/qmgr[711]: D756E2006F: removed
Mar twenty one 01:51:45 jessie postfix/smtpd[1893]: disconnect from unknown[]
8. Configuring SSL/TLS in dovecot

SSL/TLS support is enabled in dovecot by default out of the box. The dovecot package even ships with it's own SSL certificates that we tend to renamed and replaced with our own earlier during this guide. The settings of interest square measure all contained in /etc/dovecot.conf:

protocols = imap imaps pop3 pop3s
#disable_plaintext_auth = no
#ssl_disable = no
ssl_cert_file = /etc/pki/tls/certs/
ssl_key_file = /etc/pki/tls/private/
ssl_cipher_list = ALL:!LOW:!SSLv2
Restart the dovecot service when creating any changes:

service dovecot restart
To use SSL/TLS secret writing, you need to change the imaps (port 993) and/or pop3s (port 995) protocols. Commented settings represent the default values. once set to affirmative, disable_plaintext_auth can disable all plain text authentication strategies (with the exception of connections from identical informatics as these square measure thought of secure). The ssl_cipher_list setting permits US to specify the list of allowed ciphers to be used. additionally to the default list, we tend to block all low strength ciphers at the side of the less secure SSLv2 protocol.

There square measure variety of the way we are able to address native and remote security issues. To enforce secret writing to be used on all native and remote connections, we tend to might merely disable insecure imap and pop3 protocols, and solely supply imaps and pop3s together with setting 'disable_plaintext_auth = yes'. or else, we tend to might want to permit native users to use plain text imap and pop3 protocols while still imposing that remote users use secret writing. a technique to attain this can be to permit all connections to imaps and pop3s (ports 993 and 995, severally) while proscribing connections on imap and pop3 ports (143 and a hundred and ten, severally) to our native network via firewall rules. For example:

# settle for solely native network connections for IMAP
iptables -A INPUT -i eth0 -p protocol -s --dport 143 -j settle for
# settle for all connections for IMAPS
iptables -A INPUT -i eth0 -p protocol --dport 993 -j settle for
# POP3(S)
# settle for solely native network connections for POP3
iptables -A INPUT -i eth0 -p protocol -s --dport a hundred and ten -j settle for
# settle for all connections for POP3S
iptables -A INPUT -i eth0 -p protocol --dport 995 -j settle for
Don't forget to line acceptable rules at the perimeter firewall and forward the suitable ports.

Finally we tend to should put together our email purchasers to use SSL secret writing.

Thunderbird: Edit > Account Settings, and choose the mail account "Server Settings" within the manus pane. underneath the "Security Settings" section, select SSL. Note the port range ought to currently have modified to either 993 or 995 for IMAPS or POP3S, respectively.

Outlook Express: Tools > Accounts > Mail tab > choose associate degree account and click on properties. Then on the Advanced tab, underneath Incoming Mail (POP3), tick "This server needs a secure affiliation (SSL)". Note the port range ought to currently have modified to either 993 or 995 for IMAPS or POP3S, respectively.

If we tend to tail our mail log and check for brand spanking new email in our email shopper, we must always be able to see that TLS secret writing is currently being used:

# tail -f /var/log/maillog
Mar twenty one 15:10:15 jessie dovecot: pop3-login: Login: user=, method=PLAIN, rip=::ffff:, lip=::ffff:, TLS
Mar twenty one 15:10:15 jessie dovecot: POP3(ned): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0