One of the widely discussed issues with Amazon EC2 instances is the inability to reliably send email from the instances. In all too many cases, email from EC2 instances is automatically categorized as spam by the various relay databases, and by many ISP’s and carriers. There are several solutions, with the most common being a smarthost setup using either an external smarthost smtp service, such as http://authsmtp.com, or using an existing smtp server within our infrastructure. We chose the latter setup, with the following requirements:
- All mail routed through our mailservers
- Client authentication using TLS
- Authentication via certificate, rather than via email account (user/password)
- Use of Postfix
The following is what we came up with, and which we have successfully deployed.
Create your own CA. key and cert with TinyCA2
http://theworldofapenguin.blogspot.com/2007/06/create-your-own-ca-with-tinyca2-part-1.html
- Make your CA
- make a key & cert for the smarthost and create a .tgz file (smarthost-bundle.tgz). This bundle consists of 3 files:cacert.pem, smarthost-cert.pem, smarthost-key.pem
- make a key & cert for the clients and create a .tgz file (client-bundle.tgz). This bundle consists of 2 files: cacert.pem, client-cert.pem, client-key.pem
(or if you are more comfortable you can just script it)
Server setup:
* mkdir /etc/postfix/ssl
* obtain smarthost-bundle.tgz
* cd /etc/postfix/ssl; tar -xzvf smarthost-bundle.tgz
/etc/main.cf:
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_CAfile = /etc/postfix/ssl/MY-cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smarthost-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/smarthost-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
smtpd_recipient_restrictions =
permit_mynetworks,
permit_tls_all_clientcerts,
reject_unauth_destination
Client setup:
* mkdir /etc/postfix/ssl
* obtain client-bundle.tgz
* cd /etc/postfix/ssl; tar -xzvf client-bundle.tgz
Then:
/etc/main.cf:
smtp_use_tls = yes
smtp_tls_CAfile = /etc/postfix/ssl/MY-cacert.pem
smtp_tls_cert_file = /etc/postfix/ssl/client-cert.pem
smtp_tls_key_file = /etc/postfix/ssl/client-key.pem
relayhost = [smarthost.domain.com]
Add the above lines, chown the /etc/postfix/ssl dir to root:root and
restart postfix.
TODO:
* enable TLS ONLY on port 587 (submission port)
NOTE: To allow only specific certs to be verified, do this on
smarthost:
/etc/postfix/main.cf:
change permit_tls_all_clientcerts to permit_tls_clientcerts
Add this line:
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
the /etc/postfix/relay_clientcerts is of this form:
{md5 of cert on client} hostname
1) On client, do:
openssl x509 -fingerprint -md5 -in /etc/postfix/ssl/xxxxxxxx-cert.pem
You will see the md5 near the top of the output. Copy that md5, and past
into /etc/postfix/relay_clientcerts on the smarthost.
Then, add the host to the same file next to the md5.
Run postmap /etc/postfix/relay_clientcerts
Once done- ONLY the cert, with that specific md5 fingerprint, and from
that host will be verified.