alexalmazan.com

This article is to ouline the specifics for implementing SPF policy framework for Postfix provided in Redhat Enterprise Linux (es4/es5).

1.) First install all the necessary perl modules via RPM that you will require:

http://dag.wieers.com/rpm/packages/perl-Net-Address-IPv4-Local/ http://dag.wieers.com/rpm/packages/perl-NetAddr-IP/ http://dag.wieers.com/rpm/packages/perl-Mail-SPF/

(additional RPMs may be required) I would recommend that you refrain from installing via CPAN as a mix of RPM installed and CPAN installed modules can lead to issues in the future.

2.) Obtain and install the SPF perl script

cd /usr/src
wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.001.tar.gz
tar xvfz postfix-policyd-spf-perl-2.001.tar.gz
cd postfix-policyd-spf-perl-2.001
cp postfix-policyd-spf-perl /usr/libexec/postfix/postfix-policyd-spf-perl
chomd o+x /usr/libexec/postfix/postfix-policyd-spf-perl

Ensure that you set the script to executable, or errors such as these are recieved

warning: command /usr/bin/perl exit status 2
postfix/smtpd: warning: premature end-of-input on private/policy while reading input attribute name

3.)Next, edit the postfix configuration file ’/etc/postfix/master.cf’ This line should be appended to the end of the configuration.

policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl

4.)Next open /etc/postfix/main.cf and find the directive “smtpd_recipient_restrictions” You should have reject_unauth_destination in that directive, and right after reject_unauth_destination add ‘check_policy_service unix:private/policy’

smtpd_recipient_restrictions =permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy

important ensure that you specify “check_policy_service” AFTER “reject_unauth_destination” or else you will have an open relay!

The following syntax will help determine any issues with the certificates loaded for TLS: -

openssl s_client -connect 127.0.0.1:25 -starttls smtp -debug

Your mileage will vary

In order to configure SSL for dovecot, the following is recommended

[root@station ]# cd /etc/pki/
[root@station pki]# ls
CA  dovecot  nssdb  rpm-gpg  tls
[root@station pki]# find . -name Makefile
./tls/certs/Makefile
[root@station pki]# cd tls/certs/
[root@station certs]# ls
ca-bundle.crt  localhost.crt  make-dummy-cert  Makefile
[root@station certs]# make
This makefile allows you to create:
  o public/private key pairs
  o SSL certificate signing requests (CSRs)
  o self-signed SSL test certificates

To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".

To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".

To create a test certificate with serial number other than zero, add
SERIAL=num

Examples:
  make server.key
  make server.csr
  make server.crt
  make stunnel.pem
  make genkey
  make certreq
  make testcert
  make server.crt SERIAL=1
  make stunnel.pem SERIAL=2
  make testcert SERIAL=3

Dovecot requires a pem, which consists of a key and a cert. Once generated, place in the location that is outlined in the server configuration.

[root@station certs]# make dovecot.pem
umask 77 ; \
        PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes
-x509 -days 365 -out $PEM2 -set_serial 0 ; \
        cat $PEM1 >  dovecot.pem ; \
        echo ""    >> dovecot.pem ; \
        cat $PEM2 >> dovecot.pem ; \
        rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
.............++++++
..++++++
writing new private key to '/tmp/openssl.B21904'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank.

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Texas
Locality Name (eg, city) [Newbury]:San Antonio
Organization Name (eg, company) [My Company Ltd]: SSL example 
Organizational Unit Name (eg, section) []:3rd shift
Common Name (eg, your name or your server's hostname)
[]:station.rhce.example.com
Email Address []:user@rhce.example.com
[root@station certs]# ls
ca-bundle.crt  dovecot.pem  localhost.crt  make-dummy-cert  Makefile

mailtips for checking email during the test utilize mutt

mutt -s imaps://user@@serverhost

mutt -f imaps://localhost for checking/displaying:

q:Exit  ?:Help
This certificate belongs to:
   station.rhce.example.com
   Unknown
   SSL example
   3rd shift
   San Antonio

This certificate was issued by:
   station.rhce.example.com
   Unknown
   SSL example
   3rd shift
   San Antonio

This certificate is valid
   from Aug  9 16:52:18 2008 GMT
     to Aug  8 16:52:18 2009 GMT

Fingerprint: B247 62D4 197F 401B 61EA BC83 8733 8D9A

Telnet test to port 110 and SSL mutt foo.

[root@station etc]# telnet 0 110
Trying 0.0.0.0...
Connected to 0 (0.0.0.0).
Escape character is '^]'.
+OK Dovecot ready.
user mike
+OK
pass redhat
+OK Logged in.
list
+OK 1 messages:
1 472
.
retr 472
-ERR There's no message 472.
retr 1
+OK 472 octets
Return-Path: <root@station.example.com>
X-Original-To: ru@station.example.com
Delivered-To: user@station.example.com
Received: by station.example.com (Postfix, from userid 0)
        id CFB341988BE; Thu,  9 Aug 2007 13:09:10 -0500 (CDT)
To: ru@station.example.com
Subject: maildirdelivery
Message-Id: <20070809180910.CFB341988BE@station13.example.com>
Date: Thu,  9 Aug 2007 13:09:10 -0500 (CDT)
From: root@station.example.com (root)

maildir lab example

additional notes post lab

edits to /etc/dovecot.conf

protocols = imap imaps pop3 pop3s

the pem copied into these locations

##
## SSL settings
##

# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
#ssl_listen =

# Disable SSL/TLS support.
ssl_disable = no

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened
before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

Rhel5 Postfix installations support the ‘mbox’ mailbox typically found in ’/var/spool/mail’ This default behavior can be changed to ‘Maildir’ if desired.

(You cannot revert back to ‘mbox’ once you have opted to change to Maildir, and you cannot switch back to Sendmail without losing all messages stored and delivered.)

postconf -e home_mailbox="Maildir/" 
postconf -e local_recipient_maps="unix:passwd.byname $alias_maps" 
postfix reload

These changes are required as per the following settings outlined in “/etc/postfix/main.cf”

---# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
#   For example, you define $mydestination domain recipients in
#   the $virtual_mailbox_maps files.

The default Rhel5 Postfix installation does not have an interface assigned for use. This is similar to the default Rhel5 Sendmail defaulting to only serve localhost.

To over come this behavior, you can use the Postfix installed postconf utility as opposed to a direct edit to the file ’/etc/postfix/main.cf’

 
postconf -e "inet_interfaces=all" 

Next issue either ‘postfix reload’ or ‘service postfix restart| stop | start’ as root.