This document contains notes on how I set up my secure mail server, running on Red Hat Linux 9. It assumes intermediate system administration ability, and a familiarity with Red Hat Linux tools and mail server principles. It does not cover DNS or basic postfix configuration. The technologies covered are: o Dovecot for IMAP o Postfix as MTA, including SMTP AUTH for secure relaying o Squirrelmail for web mail (with Apache+PHP). o SSL setup for all of the above for secure authentication Please send questions or comments to jeremyp -at- pobox -dot- com. =============== Overall Setup: * Firewall adjusted for ports 25, 80, 993, and 465 incoming. (995 for POP3 would be an optional addition for secure POP3) * sendmail RPM removed entirely to use postfix instead. You may need to install postfix first, then remove sendmail, to avoid dep problems. * Postfix configured for basic mail server operation; follow another HOWTO for this or see Jason Tower's mail server class notes * I also configured procmail and SpamAssassin but don't detail that here. =============== Dovecot IMAP: * Downloaded SRC RPM from rawhide: dovecot-0.99.10-6.src.rpm * Rebuilt with rpmbuild --rebuild; install binary RPM * Adjusted /etc/dovecot.conf : protocols = imaps imap imap_listen = 127.0.0.1 imaps_listen = * * This allows imap connections for localhost, required for Squirrelmail, but all else goes through IMAPS only. * Set up POP3 if desired; see comments in config file =============== SSL Certificates for Dovecot and Postfix: * cd to main directory: /usr/share/ssl/certs * rm smtp.pem dovecot.pem [these are old versions with wrong info] * Made new certificates with "make dovecot.pem" and "make smtp.pem" * Used "mail.example.com" for my CN (Common Name) -- in order to avoid errors, this same name should be used in client configuration * The makefile prompts you for the info, and then puts both the secret key and the certificate in that same file. That's fine for smtp.pem, because I just pointed everything at the file in /etc/postfix/main.cf * For dovecot, it was expecting a separate .pem file in the /usr/share/ssl/private/ directory. I just copied dovecot.pem over and removed the public key portion with a text editor). I believe that the private key portion could be removed from the one in certs/ folder but I'm not sure. * Made sure all .pem files are mode 0600. =============== Testing SSL: * Run at a prompt: openssl s_client -connect localhost:port (port is of course 993 for imaps, 465 for smtps) * Then you can "speak" direct SMTP or IMAP if it connects successfully. (analogous to "telnet localhost 25" for SMTP, etc.) * Check /var/log/maillog and /var/log/messages for error reports. =============== Apache: * Made sure 'httpd' and 'mod_ssl' packages were installed from updates tree. * chkconfig httpd on; service httpd restart * Followed instructions from RHL 9 manual to set up Apache test (self-signed) certificate, with no passphrase: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-secureserver-generatingkey.html http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-secureserver-selfsigned.html [see entire chapter for overview of SSL stuff] * Be sure to give the CN [common name] that you will refer to the server by from the web; www.example.com in my case. * service httpd restart; verify with browser: https://www.example.com/ =============== Squirrelmail: * Installed squirrelmail from RHL 9 updates tree. * Changed $domain in /etc/squirrelmail/config.php to example.com Otherwise return address doesn't appear correctly in mail sent from SM. * Changed $default_folder_prefix to '' Otherwise you end up with folders like ~user/mail/mail/ which is silly. * Added this to /etc/httpd/conf.d/squirrelmail.conf : SSLRequireSSL (this means that users who go to http://www.example.com/webmail/ without using https:/ will get denied. There are fancier ways to do this; I find this method this is simple and just as effective.) * Updated the upload_max_filesize parameter in /etc/php.ini . The default is 2MB which is pretty small for many file attachment users. If size is exceeded, a nasty error message will result in Squirrelmail. * service httpd restart * Make sure users know they should update their "real name" in Squirrelmail's "Options" area. I really wish it would pick this up automatically :/ =============== Postfix / SASL / SMTP AUTH: * Postfix had already been configured for normal mail server operation. This means that mail was being accepted for the domain on port 25, outgoing mail works fine, server is not an open relay, etc. * Goal is to allow relaying only when authenticated, and only allow authentication while secured behind SSL * This turned out to be quite annoying, but I finally figured it all out. The Postfix RPMs in RHL 9 don't work right. I downloaded postfix-2.0.11-5.src.rpm from rawhide and rebuilt with "rpmbuild --rebuild" ; this worked fine * Much more information on this topic here; don't be fooled by the strange URL, this is an excellent HOWTO: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=94312 =============== My Postfix config changes, besides mail server setup : * updated master.cf to listen on port 465 for SSL with these lines: smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes * created /usr/lib/sasl2/smtpd.conf with the following contents: pwcheck_method: saslauthd * made sure that /usr/lib/sasl/smtpd.conf did not exist (can cause conflicts) * created /etc/sysconfig/saslauthd with these contents: MECH=pam * service saslauthd start * created /etc/pam.d/smtp with these contents (this may already exist) #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth * added these lines to /etc/postfix/main.cf to turn everything on : #Basic SASL Auth config stuff smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes #Enable relaying if authenticated smtpd_recipient_restrictions = permit_tls_clientcerts,permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination #Allow STARTTLS on port 25 smtpd_use_tls = yes smtpd_tls_auth_only = yes #Location of SSL certs smtpd_tls_key_file = /usr/share/ssl/certs/smtp.pem smtpd_tls_cert_file = /usr/share/ssl/certs/smtp.pem * service postfix restart; check /var/log/maillog and /var/log/messages * test using openssl as mentioned above, or with a real mail client * postfix can be put in debug mode by adding "-vv" as options in master.cf (for smtp and/or smtps lines) * saslauthd error messages can be viewed by adding "auth.*" to the /var/log/secure section of /etc/syslog.conf ; restart syslog after this change =============== Final Notes: * Be sure that the following services have been enabled with chkconfig: - postfix - dovecot - httpd - saslauthd * Open relay check: http://www.abuse.net/relay.html [don't be a spammer!] * Obviously much of the above configuration will be different depending on what you want, but I hope the above is useful! Jeremy Portzer jeremyp -at- pobox -dot- com Last updated: Monday, October 20, 2003