Postfix SMTP AUTH and STARTTLS in RHEL7

SMTP AUTH:
The problem with SMTP protocol is that it does not require authentication. So anyone can send mail through your email server. This has lead to the problem of spam. 

To prevent an attacker from using your mail server to relay their spam, an email server is generally configured to relay mail only from the local site's address range. This creates a problem for roaming users. The solution is SMTP AUTH , which requires mail senders to authenticate before submitting messages.

SMTP AUTH is used to allow roaming users to relay mail through a server safely without configuring the SMTP server to be an open relay. Postfix's SMTP AUTH uses an authentication library called SASL, which is not part of Postfix itself. Postfix can use either the Cyrus library or Dovecot as a source for SASL authentication. This tutorial uses Dovecot as a source for SASL authentication.

SMTP STARTTLS:

Normally SMTP is transmitted as cleartext over the wire, making it vulnerable to both passive sniffing and active alteration via man-in-the-middle attacks. SMTP STARTTLS, which compliant ESMTP clients and servers can use to encrypt the SMTP session.

Typically, this is done by first starting TLS, to encrypt the SMTP session, and then issuing the SMTP AUTH command, to authenticate the client; this combination ensures that the username and password transferred as part of the SMTP AUTH are protected by the TLS encrypted session.

NOTE:
- Ensure that DNS Server is configured for the network.
- Ensure MX record entry for the domain is made in the DNS Server zone file.
- Ensure reverse dns entry for the mail server is made in the DNS Server zone file.
- To check for errors, view the log file '/var/log/maillog'

This tutorial is based on the following configuration:
- Domain Name: mycompany.com
- Email Gateway Name: meru.mycompany.com
- Email Gateway IP address: 192.168.122.1
- Network served by the mail gateway: 192.168.122.0/24

IMPORTANT: This tutorial assumes that 'dovecot' has been installed and configured. For dovecot installation and configuration refer to this post.

This tutorial is divided into 2 parts:
PART 1) Configuration of SMTP AUTH
PART 2) Configuration of STARTTLS

PART 1) Configuration of SMTP AUTH

Postfix Incoming/Outgoing Server (Gateway) Configuration: This server will receive incoming mail for the domain. And relay outgoing mail from client machines.

1) Edit the file '/etc/postfix/main.cf'. Make the following changes

    myhostname = meru.mycompany.com
    mydomain = mycompany.com

    #the default domain name to append if @domain is missing
    myorigin = $mydomain

    # the network interface addresses on which to receive incoming mail.
    inet_interfaces = all
    # remember to comment this line
   #inet_interfaces = localhost

    #the domains for which this machine is the final destination.
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain


   #Trusted SMTP clients - can relay mail through this server.  
    mynetworks = 192.168.122.0/24, 127.0.0.0/8


    #enable SMTP AUTH through SASL
     smtpd_sasl_auth_enable = yes

    #tells SASL to use dovecot for authentication
    smtpd_sasl_type = dovecot

    #the sasl path
    smtpd_sasl_path = private/auth

    #prevent anonymous authentications
    smtpd_sasl_security_options = noanonymous

    #allow authentication from non standard clients such as Microsoft Outlook
    broken_sasl_auth_clients = yes

    #allow authenticated users, allow networks configured with the mynetworks directive, reject destinations other than the postfix server
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination


2) To view the parameters changed run the following command.
     postconf -n

3) To check for systax errors, run the following command.
     postfix check

4) Open firewall port 25/TCP.
    firewall-cmd --zone=public --add-service=smtp --permanent
    firewall-cmd --reload

5) Edit the file  '/etc/dovecot/conf.d/10-master.conf' and make the following changes. This is the socket through which postfix communicates with dovecot for the authentication info.
    service auth {
      unix_listener /var/spool/postfix/private/auth {
       group = postfix
       mode = 0660
       user = postfix
     }
    }

6) Restart postfix service
    systemctl restart postfix 

7) Restart dovecot  
     systemctl restart dovecot

 

PART 2) Configuration of STARTTLS

1) Create Server Certificate. Follow the following steps:
    1.1) Create local CA (Certificate Authority)
            /etc/pki/tls/misc/CA  -newca

    1.2) Create public-private key pair
          openssl genrsa -out postfixkey.pem

    1.3) Create a certificate signing request (CSR)
          openssl req -new -key postfixkey.pem -out postfix.csr

    1.4) Sign the Certificate.
          openssl ca -in postfix.csr -out postfixcert.pem
   1.5) Copy the CA cert file '/etc/pki/CA/cacert.pem'.


2) The CA certificate file 'cacert.pem', Server Certificate file 'postfixcert.pem' and Server key file 'postfixkey.pem' is copied to the '/etc/postfix/certs/' directory.

3) Edit the file '/etc/postfix/main.cf'. Make the following changes

       #Certificate file of the CA who has signed the server certificate
       smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem

       #Server certificate 
       smtpd_tls_cert_file = /etc/postfix/certs/postfixcert.pem

       #Server private key
       smtpd_tls_key_file = /etc/postfix/certs/postfixkey.pem

       #not to require STARTTLS for all SMTP exchanges
       smtpd_tls_security_level = may

       #require STARTTLS for SMTP AUTH.
       smtpd_tls_auth_only = yes

2) To view the parameters changed run the following command.
     postconf -n

3) To check for systax errors, run the following command.
     postfix check


4) Restart postfix service
    systemctl restart postfix