Monday, March 1, 2010

6. Postfix Basic Relay and SMTP-AUTH


Introduction
         Most important feature of the MTA's are the ability to control the relay. Most of the MTA's denies the relay from domains that are consider to be not local or hosts that are considered to be not in same subnet.

Postfix Relay
       Postfix will relay the domains that are "considered to be local by default". These are specified in the main.cf file, but in sendmail there is a local file that contains the list of domains for relay. "hostname -f" which gives the FQDN of the server, by default postfix will accept the mails destined to its domain because it considered to be local. By using the "mydestination" directive the postfix accepts the mails that coming for the domains defined there. "mynetworks" and "mynetworks_style" also controls the relaying initially. All other domains are considered to be "only relayed if the relay is specifically defined".
The Basic relay configuration is done in postfix by
  • mydestination
  • mynetworks
  • mynetworks_style
Following example configures postfix to relay only localhost. (Same method can be applied to configure any single hosts as well.) All other request for relay from other hosts will be rejected.

Configure the postfix to be used to relay only localhost
# vim /etc/postfix/main.cf
mynetworks = 127.0.0.1
mynetwork_style = host
     This means Postfix only relays mails from localhost.
# postfix reload
# postconf |grep mynetwork
    Now try sending msg from any of the hosts in the local network to out side. The relay through this server will be denied. Only the localhost will be able to relay the mails outside. Note: "The server will still be accepting mails avoid confusing the relay with this feature".

SMTP Authentication:
     SMTP auth is used to relay based on the user authentication, permitting roaming users.
We need the cyrus packages which will support the smtp authentication
Check the package availability by the following command. If not install all the cyrus packages
# rpm -qa |grep cyrus
Check the Postfix whether MTA supports the authentication
# telnet localhost 25
ehlo
(have to get the 250-auth reply from the server)
If the binary is not build with the SMPT-AUTH support have to compile and install the postfix with the smtp support. So go to postfix source directory compile and install the postfix
# cd postfix-2.7
# make makefiles CCARG="-DUSE_SASL_AUTH -I/usr/include/sasl" AUXLIBS="-L/usr/lib -lsasl2"
# postfix stop
# make install
    This will compile the binary package with smtp-auth, and the interactive menu appears for installation of the binaries.
After installation of the postfix binaries include the derivatives that supports the smtp-auth in main.cf file
# vim /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
#This enables the smtpd authentication
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# postfix reload
   "smtpd_recipient_restrictions" is a type of smtpd access policy which is used to reduce the amount of the junk messages and also used to tight the SMTP relay. By defining "smtpd_recipient_restrictions" we are instructing postfix to permit or deny relay to certain destination based on the specification in the policy. Here we have defined the "permit_mynetworks" to permit the relay for all the hosts defined in the mynetworks and "permit_sasl_authenticated" to permit the relay for all the users that have done SMTP authentication and rest all the requests will be rejected using the reject_unauth_destination policy
Confirm the SMTP_AUTH supported
# telnet localhost 25
ehlo localhost
(Check for the 250-AUTH reply)
# tail /var/log/maillog
     Check the log file for any errors
Now we have to configure the SASL to handle the SMTP authentication requests. Create the following file to invoke smtp authentication by SASL
# vim /usr/lib/sasl2/smtp.conf
pwcheck_method: saslauthd
mech_list: plain login
The mech_list is optional that defines the type of the authentication carried out.
# service saslauthd start
# service postfix restart
# ps -ef |grep saslauth
Check the service is running. Now got to the any MUA that supports the smtp authtentication and test the mail relay.

1 comment:

tag ur valuable ideas below