Set Up Postfix MTA and IMAP/POP3
Advertisements
In order to send an email from our CentOS 7 server, we will need the setup to configure a modern Mail Transfer Agent (MTA). Mail Transfer Agent is the daemon responsible for sending outbound mail for system users or corporate Internet Domains via SMTP.
It is worth noting, this tutorial only teaches the process of setting up the daemon for local use. We do not go into detail about advanced configuration for setting up an MTA for business operations. This is a combination of many skills including but not limited to: DNS, getting a static routable IP address that is not blacklisted, and configuring advanced security and service settings. In short, this tutorial is meant to familiarize you with the basic configuration. Do not use this tutorial for MTA configuration of an Internet facing host.
With its combined focus on both security and the ease of administration, we have chosen Postfix as the MTA for this tutorial. The default MTA installed in the older versions of CentOS is Sendmail. Sendmail is a great MTA. However, of the author's humble opinion, Postfix hits a sweet spot when addressing the following notes for an MTA. With the most current version of CentOS, Postfix has superseded Sendmail as the default MTA.
Postfix is a widely used and well documented MTA. It is actively maintained and developed. It requires minimal configuration in mind (this is just email) and is efficient with system resources (again, this is just email).
Step 1 − Install Postfix from YUM Package Manager.
[root@centos]# yum -y install postfix
Step 2 − Configure Postfix config file.
The Postfix configuration file is located in: /etc/postfix/main.cf
In a simple Postfix configuration, the following must be configured for a specific host: host name, domain, origin, inet_interfaces, and destination.
Configure the hostname − The hostname is a fully qualified domain name of the Postfix host. In OpenLDAP chapter, we named the CentOS box: centos on the domain vmnet.local. Let’s stick with that for this chapter.
# The myhostname parameter specifies the internet hostname of this # mail system. The default is to use the fully-qualified domain name # from gethostname(). $myhostname is used as a default value for many # other configuration parameters. # myhostname = centos.vmnet.local
Configure the domain − As stated above, the domain we will be using in this tutorial is vmnet.local
# The mydomain parameter specifies the local internet domain name. # The default is to use $myhostname minus the first component. # $mydomain is used as a default value for many other configuration # parameters. # mydomain = vmnet.local
Configure the origin − For a single server and domain set up, we just need to uncomment the following sections and leave the default Postfix variables.
# SENDING MAIL # # The myorigin parameter specifies the domain that locally-posted # mail appears to come from. The default is to append $myhostname, # which is fine for small sites. If you run a domain with multiple # machines, you should (1) change this to $mydomain and (2) set up # a domain-wide alias database that aliases each user to # user@that.users.mailhost. # # For the sake of consistency between sender and recipient addresses, # myorigin also specifies the default domain name that is appended # to recipient addresses that have no @domain part. # myorigin = $myhostname myorigin = $mydomain
Configure the network interfaces − We will leave Postfix listening on our single network interface and all protocols and IP Addresses associated with that interface. This is done by simply leaving the default settings enabled for Postfix.
# The inet_interfaces parameter specifies the network interface # addresses that this mail system receives mail on. By default, # the software claims all active interfaces on the machine. The # parameter also controls delivery of mail to user@[ip.address]. # # See also the proxy_interfaces parameter, for network addresses that # are forwarded to us via a proxy or network address translator. # # Note: you need to stop/start Postfix when this parameter changes. # #inet_interfaces = all #inet_interfaces = $myhostname #inet_interfaces = $myhostname, localhost #inet_interfaces = localhost # Enable IPv4, and IPv6 if supported inet_protocols = all
Step 3 − Configure SASL Support for Postfix.
Without SASL Authentication support, Postfix will only allow sending email from local users. Or it will give a relaying denied error when the users send email away from the local domain.
Note − SASL or Simple Application Security Layer Framework is a framework designed for authentication supporting different techniques amongst different Application Layer protocols. Instead of leaving authentication mechanisms up to the application layer protocol, SASL developers (and consumers) leverage current authentication protocols for higher level protocols that may not have the convenience or more secure authentication (when speaking of access to secured services) built in.
Install the "cyrus-sasl* package
[root@centos]# yum -y install cyrus-sasl Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: repos.forethought.net * extras: repos.dfw.quadranet.com * updates: mirrors.tummy.com Package cyrus-sasl-2.1.26-20.el7_2.x86_64 already installed and latest version Nothing to do
Configure /etc/postfix/main.cf for SASL Auth
smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
My SASL Options in main.conf
##Configure SASL Options Entries: smtpd_sasl_auth_enable = yes smptd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtp_sasl_type = dovecot smtp_sasl_path = private/auth/etc
Step 4 − Configure FirewallD to allow incoming SMTP Services.
[root@centos]# firewall-cmd --permanent --add-service=smtp success [root@centos]# firewall-cmd --reload success [root@centos]#
Now let's check to make sure our CentOS host is allowing and responding to the requests on port 25 (SMTP).
Nmap scan report for 172.16.223.132 Host is up (0.00035s latency). Not shown: 993 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 389/tcp open ldap 443/tcp open https MAC Address: 00:0C:29:BE:DF:5F (VMware)
As you can see, SMTP is listening and the daemon is responding to the requests from our internal LAN.
Install Dovecot IMAP and POP3 Server
Dovecot is a secure IMAP and POP3 Server deigned to handle incoming mail needs of a smaller to larger organization. Due to its prolific use with CentOS, we will be using Dovecot as an example of installing and configuring an incoming mail-server for CentOS and MTA SASL Provider.
As noted previously, we will not be configuring MX records for DNS or creating secure rules allowing our services to handle mail for a domain. Hence, just setting these services up on an Internet facing host may leave leverage room for security holes w/o SPF Records.
Step 1 − Install Dovecot.
[root@centos]# yum -y install dovecot
Step 2 − Configure dovecot.
The main configuration file for dovecot is located at: /etc/dovecot.conf. We will first back up the main configuration file. It is a good practice to always backup configuration files before making edits. This way id (for example) line breaks get destroyed by a text editor, and years of changes are lost. Reverting is easy as copying the current backup into production.
Enable protocols and daemon service for dovecot
# Protocols we want to be serving. protocols = imap imaps pop3 pop3s
Now, we need to enable the dovecot daemon to listen on startup −
[root@localhost]# systemctl start dovecot [root@localhost]# systemctl enable dovecot
Let's make sure Dovecot is listening locally on the specified ports for: imap, pop3, imap secured, and pop3 secured.
[root@localhost]# netstat -antup | grep dovecot tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 4368/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 4368/dovecot tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 4368/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 4368/dovecot tcp6 0 0 :::110 :::* LISTEN 4368/dovecot tcp6 0 0 :::143 :::* LISTEN 4368/dovecot tcp6 0 0 :::993 :::* LISTEN 4368/dovecot tcp6 0 0 :::995 :::* LISTEN 4368/dovecot [root@localhost]#
As seen, dovecot is listening on the specified ports for IPv4 and IPv4.
POP3 | 110 |
POP3s | 995 |
IMAP | 143 |
IMAPs | 993 |
Now, we need to make some firewall rules.
[root@localhost]# firewall-cmd --permanent --add-port=110/tcp success [root@localhost]# firewall-cmd --permanent --add-port=143/tcp success [root@localhost]# firewall-cmd --permanent --add-port=995/tcp success [root@localhost]# firewall-cmd --permanent --add-port=993/tcp success [root@localhost]# firewall-cmd --reload success [root@localhost]#
Our incoming mail sever is accepting requests for POP3, POP3s, IMAP, and IMAPs to hosts on the LAN.
Port Scanning host: 192.168.1.143 Open TCP Port: 21 ftp Open TCP Port: 22 ssh Open TCP Port: 25 smtp Open TCP Port: 80 http Open TCP Port: 110 pop3 Open TCP Port: 143 imap Open TCP Port: 443 https Open TCP Port: 993 imaps Open TCP Port: 995 pop3s
No comments:
Post a Comment