POSTFIX AND SASL

assuming you got postfix up and running already

DOVECOT SASL SOCKET

see the Dovecot guide –> SASL socket section

POSTFIX

make sure you’ve enabled a valid certificate and a decent TLS setup already

then enable submissions implicit ssl/tls (not starttls). it’s better to hard-code the port number here, slackware still did not switch from smtps to submissions

vi /etc/postfix/header_checks.regexp

/^Received:.*with SMTP/         IGNORE
/^Received:.*with ESMTP/        IGNORE
/^Received:.*with ESMTPS/       IGNORE
/^Received:.*with ESMTPSA/      IGNORE
/^X-Originating-IP:/            IGNORE
/^X-Mailer:/                    IGNORE
/^Mime-Version:/                IGNORE

vi /etc/postfix/master.cf

465   inet n       -       n       -       -       smtpd
    -o syslog_name=postfix/sasl
    -o smtpd_tls_auth_only=yes
    -o smtpd_tls_wrappermode=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_security_options=noanonymous,noplaintext
    -o smtpd_sasl_tls_security_options=noanonymous
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_helo_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o cleanup_service_name=ascleanup
    #-o broken_sasl_auth_clients=yes

ascleanup unix  n       -       y       -       0       cleanup
    -o mime_header_checks=regexp:/etc/postfix/header_checks.regexp
    -o header_checks=regexp:/etc/postfix/header_checks.regexp

there is NO NEED to add permit_sasl_authenticated, in main.cf

apparently you need both cleanup AND ascleanup otherwise you get some of those

postfix/smtpd[797]: warning: connect #5 to subsystem public/cleanup: Connection refused

otherwise – in case you want to dedicate a host for that, you could simply define those options into the main configuration

vi /etc/postfix/main.cf

#
# SASL DEDICATED HOST
#
syslog_name = postfix/submissions
smtpd_tls_auth_only = yes
smtpd_tls_wrappermode = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
#broken_sasl_auth_clients = yes

HEADER CHECKS

here’s how to keep your SASL users' IP hidden.

mv /etc/postfix/header_checks /etc/postfix/header_checks.dist
vi /etc/postfix/header_checks

/^Received:.*with ESMTPSA/              IGNORE
/^X-Originating-IP:/    IGNORE
/^X-Mailer:/            IGNORE
/^Mime-Version:/        IGNORE

postmap /etc/postfix/header_checks

#vi /etc/postfix/header_checks_submission
#/^Received: from [^ ]+ \([^ ]+ \[[IPv0-9a-f:.]+\]\)\s+(.* \(Postfix\) with .+)$/ REPLACE Received: $1

ACCEPTANCE

apply and check

postfix reload
netstat -an -f inet | grep LISTEN

and remotely

openssl s_client -connect xc.nethence.com:465

TODO try to validate auth with an s_client telnet session with a base64 password.

RESOURCES

Postfix SASL Howto http://www.postfix.org/SASL_README.html

Postfix/dovecot SASL and SSL/TLS guide https://wiki.centos.org/HowTos/postfix_sasl

Postfix with SASL https://wiki.archlinux.org/index.php/Postfix_with_SASL

Enabling SASL authentication in the Postfix SMTP client https://www.linuxtopia.org/online_books/mail_systems/postfix_documentation/SASL_README_011.html

Enable SMTPS Port 465 in Postfix SMTP Server For Email Submission https://www.linuxbabe.com/mail-server/enable-smtps-port-465-postfix

Postfix smtps and submission confusion https://serverfault.com/questions/605715/postfix-smtps-and-submission-confusion

Enable SMTPS service (SMTP over SSL, port 465) https://docs.iredmail.org/enable.smtps.html

header checks

https://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-sender-s-ip-and-username-in

http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header

https://major.io/2013/04/14/remove-sensitive-information-from-email-headers-with-postfix/

https://serverfault.com/questions/413533/remove-hide-client-sender-ip-from-postfix

https://serverfault.com/questions/833906/rewrite-from-for-specific-to-addresses

https://stackoverflow.com/questions/13745104/postfix-pcre-regex-to-match-and-replace-substring/13745840

https://support.plesk.com/hc/en-us/articles/115004515714-How-to-rewrite-headers-in-outgoing-mail-messages

http://www.postfix.org/regexp_table.5.html

acceptance

How to test SMTP servers using the command-line https://halon.io/blog/how-to-test-smtp-servers-using-the-command-line/

How to test SMTP Authentication and StartTLS https://www.saotn.org/test-smtp-authentication-starttls/

Test STARTTLS configuration of SMTP server https://security.stackexchange.com/questions/58857/test-starttls-configuration-of-smtp-server

Simple Troubleshooting For SMTP Via Telnet And Openssl https://wiki.zimbra.com/wiki/Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5
Copyright © 2022 Pierre-Philipp Braun