Setup SMTP Authentication with TLS/SSL on Postfix
Install Postfix and Cyrus-SASL Packages:
yum remove sendmail -y
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain -y
``` <p>
**Configure SASL in Postfix main.cf:**
```language-bash
postconf -e "smtpd_sasl_local_domain ="
postconf -e "smtpd_sasl_auth_enable = yes"
postconf -e "smtpd_sasl_type = cyrus"
postconf -e "smtpd_sasl_security_options = noanonymous"
postconf -e "broken_sasl_auth_clients = yes"
postconf -e "smtpd_sasl_authenticated_header = yes"
postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination"
``` <p>
**Configure SASL in Postfix master.cf:**
```language-bash
echo "
inet n - n - - smtpd
smtpd_sasl_auth_enable=yes
smtpd_reject_unlisted_sender=yes
smtpd_recipient_restrictions=permit_sasl_authenticated,reject
broken_sasl_auth_clients=yes " >> /etc/postfix/master.cf
``` <p>
**Ensure `/etc/sasl2/smtpd.conf` has the following:**
pwcheck_method: saslauthd
mech_list: plain login
**Generate Certificates:**
```language-bash
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 2048
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
```<p>
**Configure TLS in Postfix:**
```language-bash
$ postconf -e "smtpd_tls_auth_only = no"
$ postconf -e "smtp_use_tls = yes"
$ postconf -e "smtpd_use_tls = yes"
$ postconf -e "smtp_tls_note_starttls_offer = yes"
$ postconf -e "smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key"
$ postconf -e "smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt"
$ postconf -e "smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem"
$ postconf -e "smtpd_tls_loglevel = 1"
$ postconf -e "smtpd_tls_received_header = yes"
$ postconf -e "smtpd_tls_session_cache_timeout = 3600s"
$ postconf -e "tls_random_source = dev:/dev/urandom"
``` <p>
**Enable and Start Postfix and SASLAuthd:**
```language-bash
$ chkconfig saslauthd on
$ chkconfig postfix on
$ /etc/init.d/saslauthd restart
$ /etc/init.d/postfix restart
``` <p>
**Test Authentication:**
Create a user account:
```language-bash
# create user account
useradd ruan
echo password | passwd --stdin ruan
``` <p>
Encode Plain Text to Base64
```language-bash
# base64 encoding
$ perl -MMIME::Base64 -e 'print encode_base64("ruan");'
cnVhbg==
$ perl -MMIME::Base64 -e 'print encode_base64("password");'
cGFzc3dvcmQ=
``` <p>
Verify if authentication is working:
```language-bash
$ telnet localhost 25
EHLO sysadmins.co.za
250-relay.smtp-out.sysadmins.co.za
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
cnVhbg==
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 2.7.0 Authentication successful
``` <p>
Done