For more than 25 years, Sendmail has served as the Internet’s primary MTA. Many
applications written for Linux expect to find Sendmail running on the server. Writ-
ten before the Internet became open to the public, however, Sendmail has many of
the security problems listed on the Common Vulnerabilities and Exposures (CVE)
list hosted at http://cve.mitre.org.
Fortunately, other MTAs have emerged to take Sendmail’s place. The main problem
these MTAs face is the expectation by core applications that Sendmail will be present
on the Linux server. To get around this, MTAs such as Postfix and Exim must be
able to appear to applications as if they are Sendmail. We call these drop-in replace-
ments, and they can run in a Sendmail mode.
Postfix is our preferred replacement for Sendmail. Postfix is faster than Sendmail, has
a more secure, modular architecture, and offers many of the features required by a
high-volume mail provider. Postfix doesn’t provide deprecated protocols, but uses
the Internet-standard Simple Mail Transport Protocol (SMTP), and it has the lowest
number of items on the CVE list. For all of these reasons, we’ll use Postfix rather
than Sendmail as our MTA.
Securing email involves keeping unauthorized users off the server altogether (so they
can’t use it to send unsolicited bulk email), making sure that nobody can spoof legiti-
mate users, and protecting the content of each email from being snooped on or
changed in transit.
Since you already installed Postfix and Debian set it up as a service, you need to tell
Postfix what to do about secure authentication. Use the following commands:
# postconf -e 'smtpd_sasl_local_domain ='
# postconf -e 'smtpd_sasl_auth_enable = yes'
# postconf -e 'smtpd_sasl_security_options = noanonymous'
# postconf -e 'broken_sasl_auth_clients = yes'
# postconf -e 'smtpd_recipient_restrictions = \
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
# postconf -e 'inet_interfaces = all'
These commands write text to the smtpd.conf file:
# echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
# echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Now create a directory for your SSL certificates and generate both the certificates and
the encryption keys:
# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl/
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
293 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..........................................++++++
.......................................++++++
e is 65537 (0x10001)
Enter pass phrase for smtpd.key:
Verifying - Enter pass phrase for smtpd.key:
Then issue this command to change the permissions on the file containing the
OpenSSL RSA key:
# chmod 600 smtpd.key
Next, generate another key and a certificate and change the existing keys to the
newly generated ones:
# openssl req -new -key smtpd.key -out smtpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: centralsoft.org
Organizational Unit Name (eg, section) []: web
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: cso
# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out \
smtpd.crt
Signature ok
subject=/C=US/ST=Texas/L=Dallas/O=centralsoft.org/OU=web/CN=Tom_Adelstein/
emailAddress=tom.adelstein@centralsoft.org
Getting Private key
Enter pass phrase for smtpd.key:
# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
Enter pass phrase for smtpd.key:
writing RSA key
# mv -f smtpd.key.unencrypted smtpd.key
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out \
cacert.pem -days 3650
Generating a 1024 bit RSA private key
.....................++++++
..........................++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Now you need to tell Postfix about your keys and certificates, using the following
postconf commands:
#
#
#
#
#
#
#
#
#
#
#
postconf
postconf
postconf
postconf
postconf
postconf
postconf
postconf
postconf
postconf
postconf
-e
-e
-e
-e
-e
-e
-e
-e
-e
-e
-e
'smtpd_tls_auth_only = no'
'smtp_use_tls = yes'
'smtpd_use_tls = yes'
'smtp_tls_note_starttls_offer = yes'
'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
'smtpd_tls_loglevel = 1'
'smtpd_tls_received_header = yes'
'smtpd_tls_session_cache_timeout = 3600s'
'tls_random_source = dev:/dev/urandom'
The /etc/postfix/main.cf file should now look like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete
# version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# Appending .domain is the MUA's job
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
If your file matches this one, you can use this command to implement the changes:
# /etc/init.d/postfix restart
Stopping mail transport agent: Postfix.
Starting mail transport agent: Postfix.
Authentication will be done by saslauthd, a SASL daemon, but you’ll have to change
a few things to make it work properly. Because Postfix runs chrooted in /var/spool/
postfix, enter the following commands:
# mkdir -p /var/spool/postfix/var/run/saslauthd
# rm -fr /var/run/saslauthd
Now you have to edit /etc/default/saslauthd in order to activate saslauthd. Remove
the # sign in front of START=yes and add the line PARAMS="-m /var/spool/postfix/var/
run/saslauthd", so that the file looks like this:
# This needs to be uncommented before saslauthd will be run automatically
START=yes
PARAMS="-m /var/spool/postfix/var/run/saslauthd"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"
Finally, edit /etc/init.d/saslauthd. Change the line:
dir=`dpkg-statoverride --list $PWDIR`
to:
#dir=`dpkg-statoverride --list $PWDIR`
Then change the variables PWDIR and PIDFILE and add the variable dir near the begin-
ning of the file:
PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"
/etc/init.d/saslauthd should now look like this:
#!/bin/sh -e
NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd
PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"
createdir( ) {
# $1 = user
# $2 = group
# $3 = permissions (octal)
# $4 = path to directory
[ -d "$4" ] || mkdir -p "$4"
chown -c -h "$1:$2" "$4"
chmod -c "$3" "$4"
}
test -f "${DAEMON}" || exit 0
# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
. "${DEFAULTS}"
fi
# If we're not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
exit 0
fi
# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
echo "You need to configure ${DEFAULTS} with mechanisms to be used"
exit 0
fi
# Add our mechanisms with the necessary flag
PARAMS="${PARAMS} -a ${MECHANISMS}"
START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name
${NAME} -- ${PARAMS}"
# Consider our options
case "${1}" in
start)
echo -n "Starting ${DESC}: "
#dir=`dpkg-statoverride --list $PWDIR`
test -z "$dir" || createdir $dir
if start-stop-daemon ${START} >/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(failed)."
exit 1
else
echo "${DAEMON} already running."
exit 0
fi
fi
;;
stop)
echo -n "Stopping ${DESC}: "
if start-stop-daemon --stop --quiet --pidfile "${PIDFILE}" \
--startas ${DAEMON} --retry 10 --name ${NAME} \
>/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(not running)."
exit 0
else
echo "(failed)."
exit 1
fi
fi
;;
restart|force-reload)
$0 stop
exec $0 start
;;
*)
echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
Now start saslauthd:
# /etc/init.d/saslauthd start
Starting SASL Authentication Daemon: changed ownership of
`/var/spool/postfix/var/run/saslauthd' to root:sasl
saslauthd.
To see whether SMTP-AUTH and TLS work properly, run the following command:
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.centralsoft.org ESMTP Postfix (Debian/GNU)
This establishes a connection to Postfix. Now type:
# ehlo localhost
If you see the lines:
server1:/etc/postfix# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.centralsoft.org ESMTP Postfix (Debian/GNU)
ehlo localhost
250-server1.centralsoft.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
your configuration should work and you have completed this part of the mail setup.
You can type quit and move to the next section.
Weak email security makes it easy for imposters to spoof users. To promote authen-
tication, we will install Postfix with Transport Layer Security (TLS), a protocol bet-
ter known as the Secure Sockets Layer (SSL). This prevents the sending of clear-text
passwords from an email client to the server.
We also want users to authenticate or log into our mail server. To this end, we will
employ the Simple Authentication and Security Layer (SASL). This creates an exten-
sion (ESMTP) that allows an SMTP client to authenticate the server.
To install the packages needed by Postfix and the other mail components, enter:
# apt-get install postfix postfix-tls libsasl2 sasl2-bin \
libsasl2-modules ipopd-ssl uw-imapd-ssl
applications written for Linux expect to find Sendmail running on the server. Writ-
ten before the Internet became open to the public, however, Sendmail has many of
the security problems listed on the Common Vulnerabilities and Exposures (CVE)
list hosted at http://cve.mitre.org.
Fortunately, other MTAs have emerged to take Sendmail’s place. The main problem
these MTAs face is the expectation by core applications that Sendmail will be present
on the Linux server. To get around this, MTAs such as Postfix and Exim must be
able to appear to applications as if they are Sendmail. We call these drop-in replace-
ments, and they can run in a Sendmail mode.
Postfix is our preferred replacement for Sendmail. Postfix is faster than Sendmail, has
a more secure, modular architecture, and offers many of the features required by a
high-volume mail provider. Postfix doesn’t provide deprecated protocols, but uses
the Internet-standard Simple Mail Transport Protocol (SMTP), and it has the lowest
number of items on the CVE list. For all of these reasons, we’ll use Postfix rather
than Sendmail as our MTA.
Securing email involves keeping unauthorized users off the server altogether (so they
can’t use it to send unsolicited bulk email), making sure that nobody can spoof legiti-
mate users, and protecting the content of each email from being snooped on or
changed in transit.
Since you already installed Postfix and Debian set it up as a service, you need to tell
Postfix what to do about secure authentication. Use the following commands:
# postconf -e 'smtpd_sasl_local_domain ='
# postconf -e 'smtpd_sasl_auth_enable = yes'
# postconf -e 'smtpd_sasl_security_options = noanonymous'
# postconf -e 'broken_sasl_auth_clients = yes'
# postconf -e 'smtpd_recipient_restrictions = \
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
# postconf -e 'inet_interfaces = all'
These commands write text to the smtpd.conf file:
# echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
# echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Now create a directory for your SSL certificates and generate both the certificates and
the encryption keys:
# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl/
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
293 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..........................................++++++
.......................................++++++
e is 65537 (0x10001)
Enter pass phrase for smtpd.key:
Verifying - Enter pass phrase for smtpd.key:
Then issue this command to change the permissions on the file containing the
OpenSSL RSA key:
# chmod 600 smtpd.key
Next, generate another key and a certificate and change the existing keys to the
newly generated ones:
# openssl req -new -key smtpd.key -out smtpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: centralsoft.org
Organizational Unit Name (eg, section) []: web
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: cso
# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out \
smtpd.crt
Signature ok
subject=/C=US/ST=Texas/L=Dallas/O=centralsoft.org/OU=web/CN=Tom_Adelstein/
emailAddress=tom.adelstein@centralsoft.org
Getting Private key
Enter pass phrase for smtpd.key:
# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
Enter pass phrase for smtpd.key:
writing RSA key
# mv -f smtpd.key.unencrypted smtpd.key
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out \
cacert.pem -days 3650
Generating a 1024 bit RSA private key
.....................++++++
..........................++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Now you need to tell Postfix about your keys and certificates, using the following
postconf commands:
#
#
#
#
#
#
#
#
#
#
#
postconf
postconf
postconf
postconf
postconf
postconf
postconf
postconf
postconf
postconf
postconf
-e
-e
-e
-e
-e
-e
-e
-e
-e
-e
-e
'smtpd_tls_auth_only = no'
'smtp_use_tls = yes'
'smtpd_use_tls = yes'
'smtp_tls_note_starttls_offer = yes'
'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
'smtpd_tls_loglevel = 1'
'smtpd_tls_received_header = yes'
'smtpd_tls_session_cache_timeout = 3600s'
'tls_random_source = dev:/dev/urandom'
The /etc/postfix/main.cf file should now look like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete
# version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# Appending .domain is the MUA's job
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
If your file matches this one, you can use this command to implement the changes:
# /etc/init.d/postfix restart
Stopping mail transport agent: Postfix.
Starting mail transport agent: Postfix.
Authentication will be done by saslauthd, a SASL daemon, but you’ll have to change
a few things to make it work properly. Because Postfix runs chrooted in /var/spool/
postfix, enter the following commands:
# mkdir -p /var/spool/postfix/var/run/saslauthd
# rm -fr /var/run/saslauthd
Now you have to edit /etc/default/saslauthd in order to activate saslauthd. Remove
the # sign in front of START=yes and add the line PARAMS="-m /var/spool/postfix/var/
run/saslauthd", so that the file looks like this:
# This needs to be uncommented before saslauthd will be run automatically
START=yes
PARAMS="-m /var/spool/postfix/var/run/saslauthd"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"
Finally, edit /etc/init.d/saslauthd. Change the line:
dir=`dpkg-statoverride --list $PWDIR`
to:
#dir=`dpkg-statoverride --list $PWDIR`
Then change the variables PWDIR and PIDFILE and add the variable dir near the begin-
ning of the file:
PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"
/etc/init.d/saslauthd should now look like this:
#!/bin/sh -e
NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd
PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"
createdir( ) {
# $1 = user
# $2 = group
# $3 = permissions (octal)
# $4 = path to directory
[ -d "$4" ] || mkdir -p "$4"
chown -c -h "$1:$2" "$4"
chmod -c "$3" "$4"
}
test -f "${DAEMON}" || exit 0
# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
. "${DEFAULTS}"
fi
# If we're not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
exit 0
fi
# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
echo "You need to configure ${DEFAULTS} with mechanisms to be used"
exit 0
fi
# Add our mechanisms with the necessary flag
PARAMS="${PARAMS} -a ${MECHANISMS}"
START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name
${NAME} -- ${PARAMS}"
# Consider our options
case "${1}" in
start)
echo -n "Starting ${DESC}: "
#dir=`dpkg-statoverride --list $PWDIR`
test -z "$dir" || createdir $dir
if start-stop-daemon ${START} >/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(failed)."
exit 1
else
echo "${DAEMON} already running."
exit 0
fi
fi
;;
stop)
echo -n "Stopping ${DESC}: "
if start-stop-daemon --stop --quiet --pidfile "${PIDFILE}" \
--startas ${DAEMON} --retry 10 --name ${NAME} \
>/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(not running)."
exit 0
else
echo "(failed)."
exit 1
fi
fi
;;
restart|force-reload)
$0 stop
exec $0 start
;;
*)
echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
Now start saslauthd:
# /etc/init.d/saslauthd start
Starting SASL Authentication Daemon: changed ownership of
`/var/spool/postfix/var/run/saslauthd' to root:sasl
saslauthd.
To see whether SMTP-AUTH and TLS work properly, run the following command:
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.centralsoft.org ESMTP Postfix (Debian/GNU)
This establishes a connection to Postfix. Now type:
# ehlo localhost
If you see the lines:
server1:/etc/postfix# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.centralsoft.org ESMTP Postfix (Debian/GNU)
ehlo localhost
250-server1.centralsoft.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
your configuration should work and you have completed this part of the mail setup.
You can type quit and move to the next section.
Weak email security makes it easy for imposters to spoof users. To promote authen-
tication, we will install Postfix with Transport Layer Security (TLS), a protocol bet-
ter known as the Secure Sockets Layer (SSL). This prevents the sending of clear-text
passwords from an email client to the server.
We also want users to authenticate or log into our mail server. To this end, we will
employ the Simple Authentication and Security Layer (SASL). This creates an exten-
sion (ESMTP) that allows an SMTP client to authenticate the server.
To install the packages needed by Postfix and the other mail components, enter:
# apt-get install postfix postfix-tls libsasl2 sasl2-bin \
libsasl2-modules ipopd-ssl uw-imapd-ssl
Comments
Post a Comment
https://gengwg.blogspot.com/