Month: August 2008

Buliding certificate authority

mkdir /etc/ssl
cd /etc/ssl/
mkdir CA
cd CA
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cp /usr/local/openssl/openssl.cnf.sample openssl.cnf

openssl req -new -x509 -keyout private/cakey.pem -out \
cacert.pem -days 365 -config openssl.cnf

To make a new certificate:

openssl req -nodes -new -x509 -keyout newreq.pem \
-out newreq.pem -days 365 -config openssl.cnf

(certificate and private key in file newreq.pem)

To sign new certificate with certificate authority:

openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem \
-out tmp.pem

openssl ca -config openssl.cnf -policy policy_anything \
-out newcert.pem -infiles tmp.pem

rm -f tmp.pem

(newcert.pem contains signed certificate, newreq.pem still contains
unsigned certificate and private key)

For More info , plz refer here

Postfix – Debian

apt-get install postfix-tls sasl2-bin libsasl2 libsasl2-modules << stuff required for postfix

apt-get install popa3d << this is the pop daemon for downloading mail from server

edit /etc/default/saslauthd and make sure these lines say:
START=yes
MECHANISMS=”pam”

edit /etc/postfix/sasl/smtpd.conf if this file doesnt exist create it!
pwcheck_method: saslauthd

edit /etc/postfix/main.cf (remove old config, copy and paste everything here but change ******)

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
myhostname = ****** # make sure this is resolvable (ie use yourmail.net)
mydomain = ****** # make sure this is resolvable, i got mine working using same as above.
myorigin = $mydomain
inet_interfaces = all
mydestination = $mydomain, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8, *.*.*.*/* # change this to local address + subnet so emails can be relayed out your box

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = ****** # i used same as ‘mydomain’ above
broken_sasl_auth_clients = yes
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unverified_sender
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

postfix does a chroot so it can’t communicate with saslauthd. heres how to get round it:
rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

add a test user (remember to remove after)
useradd test
passwd testpass

edit /etc/passwd (so test cannot log in via ssh)
test:x:1001:1001::/home/test:/bin/false <<change this to false

start postfix + saslauthd services
/etc/init.d/postfix reload
/etc/init.d/saslauthd start

TEST POSTFIX CONNECTION WITH TELNET ON REMOTE MACHINE

We need perl to generate the string for the SASL telnet authentication

perl -MMIME::Base64 -e ‘print encode_base64(“testtesttestpass”);’ << change test / testpass accordingly
dGVzdAB0ZXN0AHRlc3RwYXNz << this will be used for authentication on telnet

telnet postfixmachineip 25

type ‘ehlo localhost’
you should see something like this:

250-randallbum.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 NTLM CRAM-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5 NTLM CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

now enter these commands and see if you get same response:

AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
235 2.0.0 Authentication successful

MAIL FROM:<anyreal@mailaddress>
250 2.1.0 Ok

RCPT TO:<test@yourmail.net>
250 2.1.5 Ok

DATA
354 End data with <CR><LF>.<CR><LF>
This is a test email message, this better f****** work!
. << end message with ‘.’
250 2.0.0 Ok: queued as F11F234271

QUIT

POPA3D opens POP port 110 on the post fix server and also authenticates with users on the system the same way as Postfix has been setup to do. You could test this by sending a test email to the test user using the above method then setup a client like ‘Evolution’ to receive POP mail by putting in these details under ‘Receiving Mail’

Server: postfixmachineip

Username: test

Now when you check for new mail it will ask for a password so use ‘testpass’ if you used method used here.

And if all went well, you should of received the test email.

Now you can do the same and put in the SMTP details for ‘Sending Email’

Dont forget to remove user ‘test’ and put in some real users with strong passwords and disable ssh access if needs be.