I wrote an internal document how to a while ago about how to set up POP3 Secure and SMTP Auth with postfix using CentOS 4. I thought I’d post it here so that others may find it useful.
Before you begin
Make sure CentOS 4 has been installed as a server (with no graphical interface). Set up RPM to allow installation from the CentOS yum repositories.
# yum install cyrus-sasl
# yum install cyrus-sasl-devel
# yum install cyrus-sasl-gssapi
# yum install cyrus-sasl-plain
# yum install cyrus-sasl-crammd5
# yum install cyrus-sasl-digestmd5
# yum install cyrus-sasl-otp
# yum install cyrus-sasl-saslauthd
Make the directory structure and start services
# chkconfig -add saslauthd
# /etc/init.d/saslauthd start
# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl
Generate the security keys
Type these commands exactly as shown
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
# chmod 600 smtpd.key# openssl req -new -key smtpd.key -out smtpd.csr
# openssl x509 -req -days -3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
# mv smptd.key.unencrypted smtpd.key
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Editing /etc/postfix/main.cf
Add these lines at the bottom of your main.cf
smtpd_sasl_localdomain
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_reciepient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
check_relay_domains
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtpd_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1
smtpd_tls_receive_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Dovecot and POP3Secure
If you want Dovecot to run your POP3/IMAP POP3s/IMAPs services, then it might be worthwile adding the following configuration options to /etc/dovecot.conf
ssl_cert_file = /etc/postfix/ssl/smtpd.crt
ssl_key_file = /etc/postfix/ssl/smtpd.key
You will find that any users of Windows will receive messages about the certificate not being signed by a valid certificate authority. This is easily solved by adding the certificate manually to their cache of acceptible CAs.
In Internet Explorer visit the following address:
https://servername:995/
When the dialog box appears asking you to accept the certificate file, click on View Certificate - then select the Install Certificate button. Outlook and Outlook express will no longer ask you to accept the certificate when checking your email.
Potential Problems
If the key still has a passphrase associated with it, then postfix won’t know what to do with it. Unprotect the key as follows
# openssl rsa -in cakey.pem -text
# openssl rsa -in cackey.pem -out key_unprotected.pem
# mv cakey.pem key_protected.pem# mv key_unprotected.pem cakey.pem
Finally
All that is now required, is to restart postfix
# /etc/init.d/postfix restart