postfix

Howto: Setup postfix bulk email server with sasl authentication

Posted on Updated on

As per the project requirment I need to provide bulk email server and have to give valid records for avoid spamming, the DNS records like Reverse lookup, DKIM record , SPF record and Authentication.

I followed the below application for setup the server
1, Postfix – MTA
2, Opendkim – Key identifier
3, dovcot for – SASL authentication
4, Reverse lookup – have the setup from DataCenter where the server is located
Install the necessary package from the repository

yum install dovecot opendkim postfix openssl -y

1, Postfix Configuration

Verify the required given configurations are enabled in the configuration file /etc/postfix/main.cf

smtpd_banner = Welcom to $myhostname.$mydomain ESMTP $mail_name
 biff = no
 append_dot_mydomain = no
 readme_directory = no
 myhostname = smtp01-planetcure.in
 mydomain = planetcure.in
 myorigin = $mydomain
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 mydestination = localhost.localdomain, , localhost
 mynetworks = 0.0.0.0/0, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 home_mailbox = Maildir/

2, Configure opendkim
Verify the required given configurations are enabled in the configuration file /etc/opendkim.conf

 TemporaryDirectory /var/tmp
 PidFile /var/run/opendkim/opendkim.pid
 Mode sv
 Syslog yes
 SyslogSuccess yes
 LogWhy yes
 UserID opendkim:opendkim
 Socket inet:8891@localhost
 Umask 002
 Canonicalization relaxed/relaxed
 Domain cloud.planetcure.in
 Selector cloud
 MinimumKeyBits 1024
 KeyFile /etc/opendkim/keys/planetcure.in/cloud.private
 KeyTable /etc/opendkim/KeyTable
 SigningTable refile:/etc/opendkim/SigningTable
 ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
 InternalHosts refile:/etc/opendkim/TrustedHosts
 SignatureAlgorithm rsa-sha256

Now append the DKIM configurtion with the existing postix setting in /etc/postfix/main.cf

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

Generating DKIM keys

1, Create User for starting deamon

useradd -r -g opendkim -G mail -s /sbin/nologin -d /var/run/opendkim -c "OpenDKIM" opendkim

2, Create Key store directory and previleges

mkdir -p /etc/opendkim/keys/planetcure.in/
chown -Rv opendkim:opendkim /etc/opendkim
chmod u=rw,go-rwx /etc/opendkim/*
chmod -R u=rw,go-rwx /etc/opendkim/keys/*

3, Generate DKIM Keys

opendkim-genkey -D /etc/opendkim/keys/planetcure.in/ -d planetcure.in -s cloud

I generated the keys inside the specified directory, cloud.txt contains the Key which need to be update in the DNS

-rw-------. 1 opendkim opendkim 887 Aug 30 09:19 cloud.private
-rw-------. 1 opendkim opendkim 315 Aug 30 09:19 cloud.txt
cat cloud.txt
cloud._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA5K5BLNxFZIN43LWjmq7X2h3RW2md6o+Wn6F8lnMvWx/SUZ6FWf9kwkid/JRbEI0PBjgFo6/f6N0+c3j/7WAEH6R81S+X9fo+58eX1RafyNIAofU0PQKQcUKRBWgfNYA5En7DUoVWZpy2ZhbHutTI96U3A4HjDVksm45VWyoTIwIDAQAB" ) ; ----- DKIM key cloud for planetcure.in

4, Update the SigningTable,TrustedHosts KeyTable for the domain planetcure.in

Keys: /etc/opendkim/keys/planetcure.in/

KeyTables: /etc/opendkim/KeyTable

cloud._domainkey.planetcure.in planetcure.in:cloud:/etc/opendkim/keys/planetcure.in/cloud.private

SigningTable : /etc/opendkim/SigningTable

planetcure.in cloud._domainkey.planetcure.in
*@planetcure.in cloud._domainkey.planetcure.in

TrustedHosts: /etc/opendkim/TrustedHosts

127.0.0.1
planetcure.in
smtp01.planetcure.in
172.31.32.0/20

Thas all with the opendkim, now verify the keys use the below command

opendkim-testkey -vvv -d planetcure.in -k /etc/opendkim/keys/planetcure.in/cloud.private -s cloud

3, Configure Dovecot

Append existing entries for service auth with given entries in the file /etc/dovecot/conf.d/10-master.conf

service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}

If all done from the steps, now time to restart the servers

#service dovecot restart
#service opendkim restart
#service postfix restart

Add new user for the authentication,

#useradd -M SMTPAUTH
#passwd SMTPAUTH

verify the installation

echo $(date) | mailx -v -s "test_subject_1" -S smtp=smtp://smtp01.planetcure.in:25 -S smtp-auth-user=SMTPAUTH -S smtp-auth-password="yzBuffrtkqezfkwO6amcuhh6" -S smtp-auth=login -S from="no-reply@planetcure.in(Intra Domain)" anandbabu.tn@gmail.com/
tail -f /var/log/maillog
Jan 9 14:33:40 mta-smtp01 postfix/smtpd[4126]: F246861F2A: client=ip-172-31-9-166.us-west-1.compute.internal[172.31.9.166], sasl_method=LOGIN, sasl_username=SMTPAUTH
Jan 9 14:33:41 mta-smtp01 postfix/cleanup[4062]: F246861F2A: message-id=<54afe6c4.4kZNDOCtBpe5ROvd%no-reply@planetcure.in>
Jan 9 14:33:41 mta-smtp01 opendkim[32439]: F246861F2A: DKIM-Signature field added (s=cloud, d=planetcure.in)
Jan 9 14:33:41 mta-smtp01 postfix/qmgr[1119]: F246861F2A: from=<no-reply@planetcure.in>, size=631, nrcpt=1 (queue active)
Jan 9 14:33:41 mta-smtp01 postfix/smtp[4063]: F246861F2A: to=<anandbabu.tn@gmail.com>, relay=mx3.hotmail.com[65.55.33.119]:25, delay=0.6, delays=0.09/0/0.08/0.43, dsn=2.0.0, status=sent (250 <54afe6c4.4kZNDOCtBpe5ROvd%no-reply@planetcure.in> Queued mail for delivery)
Jan 9 14:33:41 mta-smtp01 postfix/qmgr[1119]: F246861F2A: removed
Don't forget to request reverse DNS for the server IP, it should resolve like this.
444.333.222.11.in-addr.arpa domain name pointer smpt01.planetcure.in

4, Reverse DNS

Don’t forget to request reverse DNS for the server IP, it should resolve like this.
444.333.222.11.in-addr.arpa domain name pointer smpt01.planetcure.in

Advertisements

Error: posftix: warning: SASL authentication failure: No worthy mechs found

Posted on Updated on

After configuring postfix relay server I found their was some issue with gmail server authentication, it will bounce the emails

Error : 
 postfix/smtp[25857]: 59BF721177: SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.25.108]: no mechanism available
 postfix/smtp[25861]: warning: SASL authentication failure: No worthy mechs found

Their must be two solid reasons behind this
1, SASL package is missing for plain module

yum install cyrus-sasl{,-plain}

2, Allow plaintext (which is fine when using STARTTLS): make the connection enrypted

smtp_sasl_security_options = noanonymous

Make Sure you enabled all the below options :

smtp_sasl_auth_enable = yes
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_sasl_mechanism_filter = login

 

HowTo: Authenticated email relay server with Postfix

Posted on Updated on

Setup Postfix as a email relay server which will authenticate with public email server for sending emails. If you want to use a Gmail as a Free SMTP server us, use this as in any of the redhat or ubuntu servers
For Ubuntu

apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules

Replace the ceritficate file in the configuration

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

If you do not have postfix installed before, postfix configuration wizard will ask you some questions. Just select your server as Internet Site and for FQDN use something like mail.example.com , For Centos

yum install postfix email mailx cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
[root@server ~]# vi /etc/postfix/main.cf
biff = no
append_dot_mydomain = no
readme_directory = no
myhostname = smtpout.innovautelabs.intra
mydomain = innovaturelabs.intra
myorigin = $mydomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost.localdomain, , localhost
mynetworks = 192.168.1.0/24, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl-passwords
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.trust.crt 
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_sasl_mechanism_filter = login

Now create a password file which should have a valid email and password; onece hashed the password file postfix can read the data in it after that, you can delete the plaintext passwd file. Alternately, if you’d feel better keeping the file around for whatever reason, you can run chmod 600 passwd and make it only readable by its owner, which should be root

vi /etc/postfix/sasl-passwords
[smtp.gmail.com]:587 username@gmail.com:password
chmod 600 /etc/postfix/sasl-passwords
postmap /etc/postfix/sasl-passwords

Finally, reload postfix config for changes to take effect:

service postfix restart