SMTP Authentication And Encryption help

39 posts / 0 new
Last post
#1 Sat, 05/23/2009 - 19:11
marciano

SMTP Authentication And Encryption help

Hello, I was reading some posts here but I am still confused. I'm not strog on this issues. I have a dedicated server (Fedora8) with a few virtual hosts. I need to secure Postfix-SMTP, Enable TLS encryption to prevent spam sendings from eventual hijackers. The only certificate I have installed is one created by me with Webmin module to access cp via https. I need some basic data on how to start on this, which kind of certificate I need, if it would be enough the free one from startssl.com Thanks a lot in advance.

PS: from startssl.com I have ssl.key(decripted) ssl.crt and ssl.csr<br><br>Post edited by: marciano, at: 2009/05/24 04:53

Sun, 05/24/2009 - 04:47
andreychek

Howdy,

Well, there is a self-signed certificate installed and setup for you by default within Postfix.

To start using it, you only need enable SMTPS and Submission in Postfix (which use ports 465 and 587).

To do that, you can uncomment the lines described here:

http://www.virtualmin.com/forums/help-home-for-newbies/re:authentication...

When you restart Postfix, you can than configure your email client to use a secure connection with your outgoing SMTP.

If you ever opt to buy a commercial SSL certificate. you can always use that in place of the existing self-signed cert.
-Eric

Sun, 05/24/2009 - 05:07 (Reply to #2)
marciano

Hello Eric, thanks for your reply.
At the same time you were posting it I was editing my first one.
Would it be better to use those files from startssl.com than those already installed?
Thank you

Sun, 05/24/2009 - 05:10 (Reply to #3)
marciano

(I couldn't edit last post -&gt; O<i>ops! You've hit a bug in the forum software. We already know about the problem. Apologies for the inconvenience.</i>)

So I have to open those port for outbound in my afp firewall...

Sun, 05/24/2009 - 05:15 (Reply to #4)
marciano

EG_TCP_CPORTS=&quot;21,25,80,443,43,465,587&quot;
UDP too?

Mon, 05/25/2009 - 19:52 (Reply to #5)
andreychek

No, they're only TCP ports.

I'm not really familiar with startssl certificates. If it's free, then no, there wouldn't really be an advantage to that over what's already available in Postfix.
-Eric

Mon, 05/25/2009 - 22:16 (Reply to #6)
Joe
Joe's picture

Actually, it looks like they <i>are</i> accepted by browsers. I assume they are chained certificates, similar to the ones GoDaddy and others sell for ten to twenty bucks per year. I dunno. Research would be needed. But they look like actual certificates with real browser support.

--

Check out the forum guidelines!

Tue, 05/26/2009 - 15:29 (Reply to #7)
marciano

Eric,

Yes, Postfix has been restarted. From the maillog I also got this:
<i>daemon started -- version 2.5.5, configuration /etc/postfix
May 26 17:16:55 postfix/qmgr[15645]: warning: bounce_queue_lifetime is larger than maximal_queue_lifetime - adjusting bounce_queue_lifetime</i>

tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN

Tue, 05/26/2009 - 16:22 (Reply to #8)
andreychek

Can you verify that port 465 is visible externally?

You can try telnet'ing into that port from another system, for example.
-Eric

Wed, 05/27/2009 - 09:53 (Reply to #9)
marciano

There's a problem here.
From local
% telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

From outside is the same changing localhost by domain.com
Thank you

Wed, 05/27/2009 - 09:54 (Reply to #10)
andreychek

Yup, that shouldn't disconnect.

So what shows up in the email log whenever you try connecting like that?
-Eric

Wed, 05/27/2009 - 10:04 (Reply to #11)
marciano

warning: No server certs available. TLS won't be enabled
May 27 16:02:58 postfix/smtpd[4117]: connect from unknown[***]
May 27 19:02:58 postfix/smtpd[4117]: warning: Wrapper-mode request dropped from unknown[***] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.
May 27 19:02:58 postfix/smtpd[4117]: disconnect from unknown[***]

Wed, 05/27/2009 - 13:20 (Reply to #12)
andreychek

It sounds like your Postfix main.cf file may be awry.

You may want to look in there and make sure that the SSL/TLS goodies are setup correctly.

That's normally done for you when installing Virtualmin with the install.sh -- if you installed manually, then those may not be setup yet.

If you aren't certain what's wrong, you could always post your /etc/postfix/main.cf file.
-Eric

Wed, 05/27/2009 - 15:36 (Reply to #13)
marciano

Eric,
This file has been modified a few times but I don't remember if it went from Virtualmin installation.
Thank you.

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id &amp; sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.5/samples
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES

virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail

#mailbox_command = /usr/bin/procmail -t /etc/procmailrc
#mailbox_command = procmail-wrapper -o -a $DOMAIN -d $LOGNAME
#mailbox_command = procmail -a &quot;$EXTENSION&quot;
#mailbox_command = procmail -t /etc/procmailrc
ipc_idle = 10s
notify_classes = resource, software
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
#
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#relayhost = [mail.***.com]

######### from http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-how...
queue_directory = /var/spool/postfix
mail_owner = postfix
data_directory = /var/lib/postfix

#added March 6, 2009
#inet_interfaces = localhost
#inet_protocols = all
proxywrite_service_name = proxywrite
maximal_queue_lifetime = 2d

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Wed, 05/27/2009 - 16:42 (Reply to #14)
andreychek

Oh, and before I tear into your config too much, are you running saslauthd?

If not, you need to have that up and running:

/etc/init.d/saslauthd start

Wed, 05/27/2009 - 16:55 (Reply to #15)
marciano

You were right, it was not running.
Anyway still errors sending mails in SSL (465)

May 27 22:50:35 postfix/smtpd[686]: warning: No server certs available. TLS won't be enabled
May 27 22:50:35 postfix/smtpd[686]: connect from unknown[***]
May 28 01:50:35 postfix/smtpd[686]: warning: Wrapper-mode request dropped from unknown[***] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.

Sun, 06/07/2009 - 07:56 (Reply to #16)
andreychek

It looks like you're missing the SSL key/cert.

I have all these set in my config:

[code:1]
# TLS parameters
smtpd_tls_cert_file = /path/to/ssl.cert
smtpd_tls_key_file = /path/to/ssl.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
[/code:1]

Thu, 05/28/2009 - 16:18 (Reply to #17)
marciano

I understand what you say.
Just another thought.
Is it possible to limit the amount of sending mail to external servers, let's say 100/hour, for every user (but 'newsletter' user)?
Would it be possible to, at least, drastically slow down possible junk deliveries?
I check a report I receive each 12 hours with added or changed file in /home /etc /usr and /tmp so I can detect scripts hijackers may put in here.
I think that in the worst case one thousand of spam mails would be sent during this period instead of several thousands until I discover the harmful script.
What do you think?
Thanks for your time Eric.

Tue, 05/26/2009 - 11:34
marciano

... and inbound
IG_TCP_CPORTS=&quot;21,22,25,53,80,110,143,443,10000,20000,30000_32000,465,587&quot;

I also have added these lines to master.cf

submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

As I understand this is a secure way to send mail from client. Isn't it?
Actually I want to prevent any stranger script to send bulk mail using mail() from a php script or something similar.
Anyway, after performing those changes in master.cf and conf.apf (restarted both)
I've set my client SMTP server (Thunderbird mail) to SSL and port 465. Then I get:
<i>The server is refusing SMTP connections</i>
Returning to 'TLS if available' sendings go well.
Thank you both Joe and Eric

Tue, 05/26/2009 - 14:22 (Reply to #19)
andreychek

So you said you restarted Postfix after making those changes to the master.cf file?

If you log in over SSH, and type &quot;netstat -an | grep :465&quot; -- do you get any output?

Enabling the above allows remote clients to securely connect to your server, over both an authenticated and encrypted connection, to send email.
-Eric

Thu, 05/28/2009 - 06:55
marciano

Ah, that went okay. Thanks!

I am looking both received test mail headers sent with and w/o ssl
The noticeable thing was that mail sent with cert does not content spamassassin filtering headers like the other sent without cert.
<i>X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
cl-t102-130cl.privatedns.com
X-Spam-Level:
X-Spam-Status: No, score=-104.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
HTML_MESSAGE,MIME_HTML_MOSTLY,USER_IN_WHITELIST autolearn=ham version=3.2.5</i>

Do I care about this?

Thu, 05/28/2009 - 07:04
marciano

And back to my first post.
Is it possible to force every user to send mail using ssl?
Does it worth to prevent massive spam sending from a strange script (php, cgi or other)?
Or there's another way to prevent this devil?
Thanks again.

Thu, 05/28/2009 - 11:19 (Reply to #22)
andreychek

<div class='quote'>Is it possible to force every user to send mail using ssl?</div>

Is it possible? I dunno, maybe :-)

Would this be reasonable?

Probably not :-)

Too many things rely on email being available without authentication. Cron, for example. Also, any PHP app that uses the mail() function would likely break (which is quite a bunch of them).

And plus, it doesn't prevent an attacker from hijacking an app that does authenticate, and using that to send out their spam.

I think the simpler and more scalable way of solving that is to just keep your system security updates recent, and make sure that web apps running on your server are all up to date as well :-)
-Eric

Thu, 05/28/2009 - 18:19
marciano

Another related question.
Squirrelmail was installed before Virtualmin installation so it isn't listed in virtual hosts.
I also want to force users to login with ssl.
Lot of forums I've read mention a file ssl.conf I do not have in /etc/httpd/conf.d
I made a try using the same crt and key files as SSL for SMTP
I changed 80 by 443 and added the ssl module

&lt;VirtualHost *:443&gt;
&lt;IfModule mod_ssl.c&gt;
SSLEngine on
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown
&lt;/IfModule&gt;
....
and restarted httpd
Going to https://mail.domain.com I got error 404
Is there something missing/wrong?
Thanks again!

Thu, 05/28/2009 - 19:59 (Reply to #24)
andreychek

I'm not super-familiar with the ins and outs of rate limiting. You have some options there, but they aren't all that flexible as of yet.

Here's some ideas to get you started:

http://www.irbs.net/internet/postfix/0809/0160.html

Regarding SSL -- it's hard to say what the exact problem is, since now you have a variety of Virtualmin and non-Virtualmin created VirtualHosts.

But, you may be missing a ServerName in that config. Also, using a * in the VirtualHost config can cause trouble, you'd probably be better off explicitely setting an IP address.

More on all that here:

http://www.virtualmin.com/documentation/id,troubleshooting_common_proble...

Fri, 05/29/2009 - 09:11
marciano

ServerName exist but I didn't post it.
I'm not strong on this issues.
Tell me please if I am right.
In Virtualmin Apache Networking and Protocols
***.***.***.***:80
Listen on addresses and ports
All -- 80 (Listen *:80)
All -- 443 (Listen *:443)

Virtual host for squirrelmail
&lt;VirtualHost ***.***.***.***:443&gt;
ServerName mail.domain.com
ServerAdmin me@gmail.com
ServerAlias ......lot of them......
&lt;IfModule mod_ssl.c&gt;
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem
SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown
&lt;/IfModule&gt;
DocumentRoot /usr/share/squirrelmail
ErrorLog /home/squirrelmail/logs/error_log
CustomLog /home/squirrelmail/logs/access_log common
&lt;/VirtualHost&gt;
From FFox at https://mail.domain.com
<i>Data Transfer Interrupted
The connection to mail.domain.com was interrupted while the page was loading.
The browser connected successfully, but the connection was interrupted while transferring information. Please try again.</i>
I suspect for something about certificate. Must it be public?
What do you think?
Thank you.

Fri, 05/29/2009 - 09:15 (Reply to #26)
andreychek

Two things --

First, anywhere you see *:80 or *:443, I'd change it to x.y.z.q:80 and x.y.z.q:443 -- using your IP address rather than a *. That includes the &quot;Listen&quot; sections mentioned above.

Second, it looks like you have two SSLCertificateFile lines mentioned above. I see both:

[code:1]
SSLCertificateFile /path/to/ssl.crt
SSLCACertificateFile /path/to/ca.pem
[/code:1]

I suspect the first is the one you want, I'd comment the second out.
-Eric

Fri, 05/29/2009 - 09:19 (Reply to #27)
andreychek

Oh whoops, those aren't the same things!

They looked the same at first glance :-)

Okay, so ignore my second batch of advice.

If you restart Apache, do you see any errors in the error log regarding the SSL certificates?

Also, when attempting to connect to your site, do any errors show up?
-Eric

Fri, 05/29/2009 - 09:46
marciano

Yes, I had substituted all * before the ports but listenings (VMin put them in that way)
How can I set it (t.x.y.z) by default in Virtualmin?
I mean &lt;virtualhost t.x.y.z:80&gt; instead of *:80

From httpd/error_log (this is when restarting apache)

[Fri May 29 15:36:00 2009] [notice] caught SIGTERM, shutting down
[Fri May 29 15:36:01 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri May 29 15:36:01 2009] [notice] Digest: generating secret for digest authentication ...
[Fri May 29 15:36:01 2009] [notice] Digest: done
[Fri May 29 15:36:01 2009] [notice] Apache/2.2.9 (Unix) PHP/5.2.6 configured -- resuming normal operations

And from the mail.domain.com (squirrelmail) error log these irrelevant records
[Thu May 28 16:01:19 2009] [error] [client 190.64.58.204] File does not exist: /usr/share/squirrelmail/favicon.ico
[Fri May 29 07:33:27 2009] [error] [client 216.129.119.44] File does not exist: /usr/share/squirrelmail/robots.txt

Thank you

Fri, 05/29/2009 - 09:56 (Reply to #29)
andreychek

Well, Virtualmin uses the IP address by default -- if there is a * in there, it's a remnant from before Virtualmin got there ;-)

As far as the error logs go -- yeah, that all looks fine.

If it's not working, I'd double-check all of your SSL files/settings.
-Eric

Fri, 05/29/2009 - 11:51
marciano

Mmmm. I don't see ssl module loaded in httpd.conf
Apache 2.2.9 seems to not have this module
I only found
/usr/libexec/webmin/apache/mod_ssl.pl
/usr/lib/libssl.a
/usr/lib/libssl.so
/usr/lib/libssl3.so
/lib/libssl.so.0.9.8b
/lib/libssl.so.6
Thanks.

Fri, 05/29/2009 - 12:49
marciano

Well, I have installed mod_ssl from webmin.
The things are getting worse, well, different at least.
<i>I had to comment out Listen 443 because of
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs</i>
A new virtual host was created
<i>'Processes all requests not handled by other virtual servers.'</i>
over port 443 that causes overlapping
<i>Starting httpd: [Fri May 29 18:30:51 2009] [warn] _default_ VirtualHost overlap on port 443, the first has precedence</i>

Fri, 05/29/2009 - 12:55 (Reply to #32)
marciano

Sorry, the 'new' host was my fault

Sun, 06/07/2009 - 07:56
marciano

Moving the things from httpd.conf to the new ssl.conf,
here its content
<i>
LoadModule ssl_module modules/mod_ssl.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

&lt;VirtualHost **.**.**.**:443&gt;

ServerName mail.domain.com
DocumentRoot /usr/share/squirrelmail
ErrorLog /home/squirrelmail/logs/error_log
CustomLog /home/squirrelmail/logs/access_log common
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem

&lt;Files ~ &quot;\.(cgi|shtml|phtml|php3?)$&quot;&gt;
SSLOptions +StdEnvVars
&lt;/Files&gt;
&lt;Directory /usr/share/squirrelmail/var/www/cgi-bin&gt;
SSLOptions +StdEnvVars
&lt;/Directory&gt;

SetEnvIf User-Agent &quot;.*MSIE.*&quot; \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
&quot;%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \&quot;%r\&quot; %b&quot;
&lt;/VirtualHost&gt;
</i>

I am checking here http://www.digicert.com/help/index.htm
how things are going.
I first left those certs at /etc/pki and couldn't connect
Then I used those uncommented at /path/to...
<i>http://www.digicert.com/help/index.htm</i>

Sun, 06/07/2009 - 07:56
marciano

Moving the things from httpd.conf to the new ssl.conf,
here its content
<i>
LoadModule ssl_module modules/mod_ssl.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

&lt;VirtualHost **.**.**.**:443&gt;

ServerName mail.domain.com
DocumentRoot /usr/share/squirrelmail
ErrorLog /home/squirrelmail/logs/error_log
CustomLog /home/squirrelmail/logs/access_log common
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem

&lt;Files ~ &quot;\.(cgi|shtml|phtml|php3?)$&quot;&gt;
SSLOptions +StdEnvVars
&lt;/Files&gt;
&lt;Directory /usr/share/squirrelmail/var/www/cgi-bin&gt;
SSLOptions +StdEnvVars
&lt;/Directory&gt;

SetEnvIf User-Agent &quot;.*MSIE.*&quot; \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
&quot;%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \&quot;%r\&quot; %b&quot;
&lt;/VirtualHost&gt;
</i>

I am checking here http://www.digicert.com/help/index.htm
how things are going.
I first left those certs at /etc/pki and couldn't connect
Then I used those uncommented at /path/to...
<i>http://www.digicert.com/help/index.htm</i>

Fri, 05/29/2009 - 13:47
marciano

#openssl s_client -connect localhost:443 -state -debug
socket: Connection refused
<i>connect:errno=29</i>

Fri, 05/29/2009 - 14:09 (Reply to #36)
marciano

It seems it is a domain issue inside the certificate

Fri, 05/29/2009 - 14:36
marciano

After restarting Apache, error_log of mail.domain.com displays twice.

<i>[Fri May 29 19:52:49 2009] [warn] RSA server certificate CommonName (CN) `mail.domain.com' does NOT match server name!?
[Fri May 29 19:52:49 2009] [warn] RSA server certificate CommonName (CN) `mail.domain.com' does NOT match server name!?</i>

I created new cert &amp; key for exactly mail.domain.com
I don't get these errors anymore but I still cannot connect to ssl
Help please!

Fri, 05/29/2009 - 14:55
marciano

Halleluja!!
That Listen 443 was in fault placed in httpd.conf
It has to be moved to ssl.conf

Thanks a lot!!!

Topic locked