Transfer mail encrypted between the servers with postfix

When I was looking at mailheaders again (it became kind of a hobby, and this proves you learn from it^^) I was noticing one of my incoming mails was transfered via ESMTPS. So far I knew SMTP and ESMTP but ESMTPS was appearently a new. Turned out it was ESMTP via secure transportlayer, or like RFC 3848 defines it: “The new keyword ‘ESMTPS’ indicates the use of ESMTP when STARTTLS is also successfully negotiated to provide a strong transport”. So I became curious, how can I do that too? After a bit searching I came across the setting smtp_tls_security_level in postfix and yes, after setting it to ‘may’ it did the trick. So now if the server supports STARTTLS he opens a encrypted connection with the remote server for the transfer. You need to set a bit more to make it working without any errors, here is what you need to do on a Ubuntu 10.04 (Debian and others should work similar):

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtp_tls_loglevel = 1'
sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
sudo service postfix restart

We set only smtp_tls_security_level to ‘may’ cause otherwise with ‘encrypt’ the remote server is forced to support STARTTLS, if he does not the transfer fails. So with may encryption gets used when supported. Loglevel 1 gives you a short notice when a safe connection was established and what cipher got used. Like this:

Mar 14 00:22:08 utgard postfix/smtp[11397]: setting up TLS connection to gmail-smtp-in.l.google.com[173.194.70.26]:25
Mar 14 00:22:08 utgard postfix/smtp[11397]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1 with cipher RC4-SHA (128/128 bits)
Mar 14 00:22:09 utgard postfix/smtp[11397]: 6A591E6C2C3: to=, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.9, delays=0.01/0.03/0.13/0.73, dsn=2.0.0, status=sent (250 2.0.0 OK 1331680929 s26si2913819weq.13)

And last but not least, we need to set the path to where he can find the ca-certificates to validate the remote servers certificate. Otherwise we get a entry saying a untrusted connection gets used, means he encrypts but can’t verify the remote identity. In Ubuntu (Debian) inside the chroot path of postfix lies a file containing all ca-certificates, we just need to point postfix to it. The normal path is not accessable from inside the chroot. Thanks to Alain Kelder to point this out. With all that done, our server is good and enabled to send out his outgoing mail to other smtp servers using a secure transport layer. You can go even further and for example force encryption for specific servers on a per-site basis. But since thats not the scope of this article, please refer to the postfix TLS documentation for that. There you find also information how to optimise the encryption by disabling/enabling ciphers and similar.

flattr this!

Make amavis-new speak German with you

By concidence I came across a translation of the amavis-new templates for it’s messages in German and a guide how to set those translations up. The translated templates you can download from http://fblan.de/postfix/amavis/de_DE/. The install instruction works on Debian/Ubuntu, on other OSes please check where the entry in the config lies. And here is how to install them (requires root):

sudo -i
mkdir /etc/amavis/de_DE
cd /etc/amavis/de_DE
wget http://fblan.de/postfix/amavis/de_DE/charset
wget http://fblan.de/postfix/amavis/de_DE/template-dsn.txt
wget http://fblan.de/postfix/amavis/de_DE/template-spam-admin.txt
wget http://fblan.de/postfix/amavis/de_DE/template-spam-sender.txt
wget http://fblan.de/postfix/amavis/de_DE/template-virus-admin.txt
wget http://fblan.de/postfix/amavis/de_DE/template-virus-recipient.txt
wget http://fblan.de/postfix/amavis/de_DE/template-virus-sender.txt

Once you took care of that, we need to edit the file /etc/amavis/conf.d/30-template_localization. Comment out the old line “read_l10n_templates(‘en_US’, ‘/etc/amavis’);” and place a new line with “read_l10n_templates(‘de_DE’, ‘/etc/amavis’);” below. After a restart amavis now sends out his reports in German instead of English. And do not forget to do a logout after the amavis restart, we don’t wanna act as root longer then necessary! ;-)

The guide is from o-o-s.de and the translation from fblan.de, thanks to both!

And should the fblan.de webpage down for some reason, I have a local copy for download here.

flattr this!

A bunch of tips for improving your postfix setup

Laptop with a opened envelope on the screen that has written eMail on it.Today I learned¬†a few things on postfix and how to set it up cleaner. So I want to share this insights with you, especially the part how to clean up the mail header since it helps a lot and improves your privacy quite a bit. So let’s get started, shouldn’t we ?¬†Lets start by adding¬†a limitation on the SASL¬†authenticated¬†clients which address they can to send out mail. This gets archived by setting up “smtpd_sender_login_maps =” and adding “reject_authenticated_sender_login_missmatch” to smtpd_recipient_restrictions, so he check¬†the map we setup in smtpd_sender_login_maps and if the SASL authenticated client fails rejects the mail. The map is looking like this:

# envelope sender           owners (SASL login names)
john@example.com            john@example.com
helpdesk@example.com        john@example.com, mary@example.com
postmaster                  admin@example.com
@example.net                fred, barney, john@example.com

So, setup the list with the addressed and allowed owners. Then convert it to a hashmap with postmap, and setup postfix.

$: postmap hash:/etc/postfix/addressowner_map
$: postconf -e \ 
'smtpd_sender_login_maps = hash:/etc/postfix/addressowner_map'
$: postconf -e \
'smtpd_recipient_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unauth_destination'

Don’t forget to make smtpd_recipient_restrictions fitting your setup! After that restart postfix, try first to send out using the usual sender address. It should work fine, but when you set up a sender address you don’t own he should reject it. More information on this mechanism you can find in the Postfix SASL How to.

I was looking a while now for a way to remove my IP from outgoing mails, so my server is the start point of the delivery path. This is to hide my IP, also internal IPs and it solves problems with anti-spam mechanism like SPF.¬†postfix (or any other SMTP server) receives mail from other mail servers (“incoming”), and mails by users (“outgoing”). As we don’t want to strip any headers from incoming mail, we first have to force all users to authenticate (which is a good thing anyway), and make Postfix add another header to authenticated (“outgoing”) mails. Then, we can match this header and strip both the Received line containing internal host names and IPs, and the authenticated header. So edit the config like this:

$: postconf -e 'smtpd_sasl_authenticated_header = yes'
$: postconf -e 'header_checks = regexp:/etc/postfix/header_checks'

Then create the file “header_checks” and add the following line, while editing “yourdomain\.com” to match your mail servers domain.

/^Received: .*\(Authenticated sender:.*/ IGNORE
/^Received: by yourdomain\.com .*from userid [0-9]+\)/ IGNORE

Restart postfix. This takes care of our problem. Send out a mail and compare the resulting header with an older, its much cleaner. Thanks goes to Moblog, who explained it nice and from where I took some parts.¬†So this enables us, cause we have a clean header, to add a SPF record to our domain. To archive this, just create a TXT record with the content “v=spf1 a mx -all”. Simple but working good. For more information on SPF, check Wikipedia, since OpenSPF.org is at least for me always down.

That’s it for today, hope it was inspiring for you.

flattr this!

Finally working eMail

After ages I finally took on the fight with my fear of¬†mail-servers¬†and got it working. Found a nice guide on Linode.com that was a great help to figure out various things. I optimized it at some points, and thanks to the book “Das Postfix Buch – Sichere Mailserver mit Linux” (german) from Peer Heinlein I did manage it. Now its adding more features like spam-assassin, virus-scanning, and more. But yea, I’m happy that I conquered my fear, but yea, I’m quite unhappy with the documentation of the dovecot/postfix. It could be improved a lot, but sadly I lack (yet) the¬†knowledge¬†to do so. Without that guide I certainly would have run into a bit trouble, since some points are a confusing without a hint how to work with it. But yea, made it and I will blog also about how I¬†implanted the upcoming features, so you guys can also use it if you also think on setting up a mailserver.

Helpful tools for checking your mailserver are these:

abuse.net/relay.html Mail Relay Testing -Check your mailserver if it can be missused as a open-relay to send spam.

www.mxtoolbox.com¬†Various tools from check your domain’s mx record to checking the servers SPF response.

flattr this!