banner ad

Full Mail Server Solution w/ Virtual Domains & Users (Debian Etch, Postfix, Mysql, Dovecot, DSpam, ClamAV, Postgrey, RBL) Page 13

By admin on May 13, 2010 with Comments 0

This guide describes how to set up a full email solution in
Debian Linux (all code is from Debian Etch).  I was asked to
design a secure, scalable, portable solution for a small company.
 While the guide references many ‘servers’, the
company only had 4 physical machines, Xen was used to virtualize the
entire
solution.  That particular aspect of the system is not
discussed in this guide, although I will try to get it into the next
revision.

C. CA Signed client and server certificates

If you want to use CA-signed client certificates, you will
need to take further steps, both in Postfix and in Dovecot to make this
work. If you want the user names to be taken from the certificate
itself, you currently must set the common name to the user name, for
example user@example.com, which has been used in this document.

1. Telling Postfix about the Certificates

In Postfix, you can either use a directory of CA certificates,
or a composite file with all the certificates concatenated together.
We’re going to use
the concatinated form, since that is what Dovecot is expecting.

# postconf -e ‘smtpd_tls_CAfile = /etc/ssl/example.com/ca/all.pem’

2. Telling Dovecot about the Certificates

In Dovecot, you must have the CRL together with the
certificate for the authentication to work. The directives themselves
are the following.

/etc/dovecot/dovecot.conf

[...]ssl_ca_file = /etc/ssl/example.com/ca/all.pemssl_verify_client_cert = yesssl_require_client_cert = yesssl_username_from_cert = yes[...]

NOTE: You
will also need to change the password_query to the commented one in /etc/dovecot/dovecot-sql.conf

Warning:
If you are running Dovecot release candidate 28 or older, the server
will not send out the list of accepted CA names, which could make
clients with multiple client certificates unable to connect. Please
upgrade or install this patch.

3. Concatinating files

If you have several CAs and CRLs, it could be difficult to concatenate
them each time, so a small script was created which will do that for
you. Just stick it in your /etc/ssl/example.com/ca/
directory and run it. It will create an all.pem with all certificates
and all CRLs.

make.sh:

#!/bin/bashrm all.pem 2> /dev/nullcat *.pem *.crl > all.pem

4. Postfix TLS settings

Like I said before, there are some settings in Postfix that need to be
changed as well, so let’s modify main.cf:

# postconf -e ‘smtpd_tls_ask_ccert = yes’
# postconf -e ‘smtpd_tls_req_ccert = no’
# postconf -e ‘smtpd_recipient_restrictions =
permit_tls_all_clientcerts, reject’

Now you should have an enterprise ready email server with client
certificates.

up

Full Mail Server Solution w/ Virtual Domains & Users (Debian Etch, Postfix, Mysql, Dovecot, DSpam, ClamAV, Postgrey, RBL) Page 13

This page is licensed under a Creative Commons License.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Filed Under: Debian

Tags:

RSSComments (0)

Trackback URL

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.