Ubuntu Server Guide Changes, errors and bugs

bet	205/286
Sana	20.12.2022
Hajmi	1.27 Mb.
	#1035308

1 ... 201 202 203 204 205 206 207 208 ... 286

Bog'liq
ubuntu-server-guide

SMTP Authentication
SMTP-AUTH allows a client to identify itself through the SASL authentication mechanism, using Transport
Layer Security (TLS) to encrypt the authentication process. Once authenticated the SMTP server will allow
the client to relay mail.
To configure Postfix for SMTP-AUTH using SASL (Dovecot SASL), run these commands at a terminal
prompt:
sudo p o s t c o n f −e ’ smtpd_sasl_type = dovecot ’
sudo p o s t c o n f −e ’ smtpd_sasl_path = p r i v a t e / auth ’
sudo p o s t c o n f −e ’ smtpd_sasl_local_domain =’
sudo p o s t c o n f −e ’ s m t p d _ s a s l _ s e c u r i t y _ o p t i o n s = noanonymous , n o p l a i n t e x t ’
sudo p o s t c o n f −e ’ s m t p d _ s a s l _ t l s _ s e c u r i t y _ o p t i o n s = noanonymous ’
sudo p o s t c o n f −e ’ b r o k e n _ s a s l _ a u t h _ c l i e n t s = yes ’
sudo p o s t c o n f −e ’ smtpd_sasl_auth_enable = yes ’
sudo p o s t c o n f −e ’ s m t p d _ r e c i p i e n t _ r e s t r i c t i o n s = \
p e r m i t _ s a s l _ a u t h e n t i c a t e d , permit_mynetworks , r e j e c t _ u n a u t h _ d e s t i n a t i o n ’
Note
The smtpd_sasl_path config parameter is a path relative to the Postfix queue directory.
There are several SASL mechanism properties worth evaluating to improve the security of your deployment.
The options “noanonymous,noplaintext” prevent use of mechanisms that permit anonymous authentication
or that transmit credentials unencrypted.
Next, generate or obtain a digital certificate for TLS. See security - certificates in this guide for details about
generating digital certificates and setting up your own Certificate Authority (CA).
Note
MUAs connecting to your mail server via TLS will need to recognize the certificate used for TLS.
This can either be done using a certificate from Let’s Encrypt, from a commercial CA or with a
self-signed certificate that users manually install/accept. For MTA to MTA TLS certficates are
never validated without advance agreement from the affected organizations. For MTA to MTA
TLS, unless local policy requires it, there is no reason not to use a self-signed certificate. Refer
to security - certificates in this guide for more details.
Once you have a certificate, configure Postfix to provide TLS encryption for both incoming and outgoing
mail:
sudo p o s t c o n f −e ’ s m t p _ t l s _ s e c u r i t y _ l e v e l = may ’
sudo p o s t c o n f −e ’ s m t p d _ t l s _ s e c u r i t y _ l e v e l = may ’
sudo p o s t c o n f −e ’ s m t p _ t l s _ n o t e _ s t a r t t l s _ o f f e r = yes ’
sudo p o s t c o n f −e ’ s m t p d _ t l s _ k e y _ f i l e = / e t c / s s l / p r i v a t e / s e r v e r . key ’
sudo p o s t c o n f −e ’ s m t p d _ t l s _ c e r t _ f i l e = / e t c / s s l / c e r t s / s e r v e r . c r t ’
sudo p o s t c o n f −e ’ s m t p d _ t l s _ l o g l e v e l = 1 ’
sudo p o s t c o n f −e ’ smtpd_tls_received_header = yes ’
sudo p o s t c o n f −e ’ myhostname = m a i l . example . com ’
If you are using your own Certificate Authority to sign the certificate enter:
sudo p o s t c o n f −e ’ smtpd_tls_CAfile = / e t c / s s l / c e r t s / c a c e r t . pem ’
252

Again, for more details about certificates see security - certificates in this guide.
Note
After running all the commands, Postfix is configured for SMTP-AUTH and a self-signed certifi-
cate has been created for TLS encryption.
Now, the file /etc/postfix/main.cf should look like this:
# See / u s r / s h a r e / p o s t f i x /main . c f . d i s t f o r a commented , more c o m p l e t e
# v e r s i o n
smtpd_banner = $myhostname ESMTP $mail_name ( Ubuntu )
b i f f = no
# appending . domain i s t h e MUA’ s j o b .
append_dot_mydomain = no
# Uncomment t h e next l i n e t o g e n e r a t e ” d e l a y e d m a i l ” w ar n i n g s
#delay_warning_time = 4h
myhostname = s e r v e r 1 . example . com
alias_maps = hash : / e t c / a l i a s e s
a l i a s _ d a t a b a s e = hash : / e t c / a l i a s e s
m y o r i g i n = / e t c / mailname
m y d e s t i n a t i o n = s e r v e r 1 . example . com , l o c a l h o s t . example . com , l o c a l h o s t
r e l a y h o s t =
mynetworks = 1 2 7 . 0 . 0 . 0 / 8
mailbox_command = p r o c m a i l −a ”$EXTENSION”
m a i l b o x _ s i z e _ l i m i t = 0
r e c i p i e n t _ d e l i m i t e r = +
i n e t _ i n t e r f a c e s = a l l
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = y e s
s m t p d _ s a s l _ s e c u r i t y _ o p t i o n s = noanonymous
b r o k e n _ s a s l _ a u t h _ c l i e n t s = y e s
s m t p d _ r e c i p i e n t _ r e s t r i c t i o n s =
p e r m i t _ s a s l _ a u t h e n t i c a t e d , permit_mynetworks , r e j e c t _unauth_destination
smtpd_tls_auth_only = no
s m t p _ t l s _ s e c u r i t y _ l e v e l = may
s m t p d _ t l s _ s e c u r i t y _ l e v e l = may
s m t p _ t l s _ n o t e _ s t a r t t l s _ o f f e r = y e s
s m t p d _ t l s _ k e y _ f i l e = / e t c / s s l / p r i v a t e /smtpd . key
s m t p d _ t l s _ c e r t _ f i l e = / e t c / s s l / c e r t s /smtpd . c r t
smtpd_tls_CAfile = / e t c / s s l / c e r t s / c a c e r t . pem
s m t p d _ t l s _ l o g l e v e l = 1
smtpd_tls_received_header = y e s
smtpd_tls_session_cache_timeout = 3600 s
tls_random_source = dev : / dev /urandom
The postfix initial configuration is complete. Run the following command to restart the postfix daemon:
sudo s y s t e m c t l r e s t a r t p o s t f i x . s e r v i c e
Postfix supports SMTP-AUTH as defined in RFC2554. It is based on SASL. However it is still necessary to
set up SASL authentication before you can use SMTP-AUTH.
253

When using ipv6, the mynetworks parameter may need to be modified to allow ipv6 addresses, for example:
mynetworks = 1 2 7 . 0 . 0 . 0 / 8 , [ : : 1 ] / 1 2 8

Download 1.27 Mb.

Do'stlaringiz bilan baham:

1 ... 201 202 203 204 205 206 207 208 ... 286