Noviembre 2

SMTP AUTH Connection Tests

When configuring an OutBound SMTP Relay, it is important to restrict the access to owned / authorized networks or to specific users with authentication (to not be used as ‘OpenRelay Server for garbage submission).

For this reason it is important to know how-to check if the Authentication Mechanism is working perfectly.

In order to issue the AUTH command to an SMTP server, it is fundamental to have the base64-encoded version of the Username and Password.
This perl command (MIME::Base64 module is required) will do the encoding:

perl -MMIME::Base64 -e\
 'print encode_base64("\000username\000password")'

The output (in this case) is: AHVzZXJuYW1lAHBhc3N3b3Jk

Depending on server configuration, would be necessary to use SSL or TLS before sending the AUTH command.
Sending the AUTH command without using SSL or TLS, would mean sending username and password in clear text, this is obviously insecure.

To connect to a NON-Secured SMTP server on IP address 1.2.3.4, it is possible to simply use telnet client on port 25 (SMTP) or 587 (Submission):

# telnet 1.2.3.4 25

To check if a server supports TLS, send the EHLO command during an unencrypted SMTP session (example running in localhost):

# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
relay postfix/smtpd[XXXX]: connect from localhost[127.0.0.1]
220 relay.test.bravi.org ESMTP Postfix (2.8.5) OutBound relay
EHLO TEST
250-relay.test.bravi.org
250-PIPELINING
250-SIZE 32768000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
relay postfix/smtpd[XXXX]: disconnect from localhost[127.0.0.1]
221 2.0.0 Bye
Connection closed by foreign host.

If “STARTTLS” capability is present on the list, the server will accept STARTTLS command. It is possible to use the “-starttls smtp” option of openssl s_client to connect.
This makes openssl connect normally (without encryption), send a STARTTLS command, negotiate the SSL encryption, and then allow you to interact with the encrypted session.

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25

Or for Submission:

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:587

For SSL server with SSL Wrapper enabled (SMTPS) the command would be:

openssl s_client -crlf -connect 1.2.3.4:465

Analyzing previous telnet session (EHLO command response) if AUTH is on the list, and that PLAIN is one of the supported options, it is possible to test authentication as follows:
1. Authencication OK:

AUTH PLAIN AHVzZXJuYW1lAHBhc3N3b3Jk
235 2.7.0 Authentication successful

2. Authencication KO:

AUTH PLAIN AHVzZXJuYq3rrHBhc3N3b369
535 5.7.8 Error: authentication failed

Once authenticated, it is possible to continue with a normal SMTP session.

Category: POSTFIX, POSTFIX, TIPS AND TRICKS | Los comentarios están deshabilitados en SMTP AUTH Connection Tests
Marzo 31

How to install and integrate OpenDKIM with Postfix

What is OpenDKIM?
It is a digital email signing/verification technology, which is already supported by some common mail providers. In general, DKIM means digitally signing all messages on the mail-server to verify the message was actually sent from the domain in question and was not spam

UPDATE THE SYSTEM

Before going any further, make sure you’re in a screen session and your system is fully up-to-date by running:

## screen -U -S opendkim-screen
## yum update

ENABLE EPEL REPOSITORY

OpenDKIM is available in the EPEL repository, so we need to enable it on the system before we can install OpenDKIM

## wget -P /tmp http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
## rpm -Uvh /tmp/epel-release-6-8.noarch.rpm
## rm -f /tmp/epel-release-6-8.noarch.rpm

INSTALL OPENDKIM

Install the package using yum:

## yum install opendkim

CONFIGURE OPENDKIM

Next thing to do is to configure OpenDKIM. Its main configuration file is located in /etc/opendkim.conf, so before making any changes create a backup and add/edit the following:

## cp /etc/opendkim.conf{,.orig}
## vim /etc/opendkim.conf
AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

SET-UP PUBLIC/PRIVATE KEYS

Generate set of keys for your mydomain.com domain name:

## mkdir /etc/opendkim/keys/mydomain.com
## opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default
## chown -R opendkim: /etc/opendkim/keys/mydomain.com
## mv /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default

add mydomain.com to OpenDKIM’s key table by adding the following record in /etc/opendkim/KeyTable

default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default

next, edit /etc/opendkim/SigningTable and add the following record to OpenDKIM’s signing table:

*@mydomain.com default._domainkey.mydomain.com

and add your domain and your hostname as trusted hosts in /etc/opendkim/TrustedHosts:

127.0.0.1
mydomain.com
host.mydomain.com

assuming the domain in question is ‘mydomain.com’ and server’s hostname is set to ‘host.mydomain.com’

finally, edit your mydomain.com DNS zone and add the TXT record from/etc/opendkim/keys/mydomain.com/default.txt

default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" )  ; ----- DKIM key default for mydomain.com

it is also a good idea to add an SPF record if you haven’t already

mydomain.com. 14400 IN TXT "v=spf1 a mx ~all"

you can verify your dkim TXT record is valid using dig for example:

## dig +short default._domainkey.mydomain.com TXT

"v=DKIM1\; k=rsa\; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"

CONFIGURE POSTFIX

In order to integrate OpenDKIM with Postfix we need to add the following few lines in/etc/postfix/main.cf:

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2

(RE)START SERVICES

Add OpenDKIM to your system’s start-up and start opendkim and restart postfix using the following commands:

## service opendkim start
## chkconfig opendkim on
## service postfix restart

TEST THE SET-UP

To test the set-up simply send an email to  autorespond+dkim@dk.elandsys.com and you should receive back an email containing something like this:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
DKIM check:         pass
Category: POSTFIX | Los comentarios están deshabilitados en How to install and integrate OpenDKIM with Postfix