Postfix SMTP AUTH w/TLS

The sysadmins at TnR Global, LLC enable email to be successfully delivered from EC2 instances, instead of being caught by Spamhaus and others.

One of the widely discussed issues with Amazon EC2 instances is the inability to reliably send email from the instances. In all too many cases, email from EC2  instances is automatically categorized as spam by the various relay databases, and by many ISP’s and carriers. There are several solutions, with the most common being a smarthost setup using either an external smarthost smtp service, such as http://authsmtp.com, or using an existing smtp server within our infrastructure. We chose the latter setup, with the following requirements:

  1. All mail routed through our mailservers
  2. Client authentication using TLS
  3. Authentication via certificate, rather than via email account (user/password)
  4. Use of Postfix

The following is what we came up with, and which we have successfully deployed.

Create your own CA. key and cert with TinyCA2
http://theworldofapenguin.blogspot.com/2007/06/create-your-own-ca-with-tinyca2-part-1.html

  • Make your CA
  • make a key & cert for the smarthost and create a .tgz file (smarthost-bundle.tgz). This bundle consists of 3 files:cacert.pem, smarthost-cert.pem, smarthost-key.pem
  • make a key & cert for the clients and create a .tgz file (client-bundle.tgz). This bundle consists of 2 files: cacert.pem, client-cert.pem, client-key.pem

(or if you are more comfortable you can just script it)

Server setup:

* mkdir /etc/postfix/ssl
* obtain smarthost-bundle.tgz
* cd /etc/postfix/ssl; tar -xzvf smarthost-bundle.tgz

/etc/main.cf:
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_CAfile = /etc/postfix/ssl/MY-cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smarthost-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/smarthost-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom

smtpd_recipient_restrictions =
permit_mynetworks,
permit_tls_all_clientcerts,
reject_unauth_destination

Client setup:

* mkdir /etc/postfix/ssl
* obtain client-bundle.tgz
* cd /etc/postfix/ssl; tar -xzvf client-bundle.tgz

Then:

/etc/main.cf:
smtp_use_tls = yes
smtp_tls_CAfile = /etc/postfix/ssl/MY-cacert.pem
smtp_tls_cert_file = /etc/postfix/ssl/client-cert.pem
smtp_tls_key_file = /etc/postfix/ssl/client-key.pem
relayhost = [smarthost.domain.com]

Add the above lines, chown the /etc/postfix/ssl dir to root:root and
restart postfix.

TODO:
* enable TLS ONLY on port 587 (submission port)

NOTE: To allow only specific certs to be verified, do this on
smarthost:

/etc/postfix/main.cf:

change permit_tls_all_clientcerts to permit_tls_clientcerts

Add this line:
relay_clientcerts = hash:/etc/postfix/relay_clientcerts

the /etc/postfix/relay_clientcerts is of this form:

{md5 of cert on client} hostname

1) On client, do:
openssl x509 -fingerprint -md5 -in /etc/postfix/ssl/xxxxxxxx-cert.pem

You will see the md5 near the top of the output. Copy that md5, and past
into /etc/postfix/relay_clientcerts on the smarthost.

Then, add the host to the same file next to the md5.

Run postmap /etc/postfix/relay_clientcerts

Once done- ONLY the cert, with that specific md5 fingerprint, and from
that host will be verified.

Leave a Reply

Your email address will not be published. Required fields are marked *