Kolab with authenticated relayhost and fingerprinted(trusted) tls

Michael Heide kolab983 at der-he.de
Fri Sep 23 16:39:21 CEST 2011 

Hello,

maybe there's some easier solution to get a working configuration for
authenticating at a relayhost via a trusted (fingerprinted tls)
connection and safe defaults, but I didn't find anything in the wiki nor
via google.

So here is my solution:

In /etc/kolab/templates/main.cf.template:
####
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_security_level = secure
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest = md5
####

With "smtp_tls_security_level = secure" it's guaranteed nothing bad
happens if someone changes the smarthost in the kolab admin panel. And
we only want to use a smarthost so the most secure default is fine.

In /etc/postfix/sasl_passwd:
####
smarthostdomainname  username:password
####

In /etc/postfix/tls_policy:
####
[smarthostdomainlikeinwebinterface] fingerprint
   match=AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA
[127.0.0.1] none
[127.0.0.1]:10024 none
[localhost] none
####
(the brackets are necessary, the md5 must be replaced by the hash of
your cert, [127.0.0.1]:10024 is needed for amavis and the others are not
needed at the moment, AFAICS; maybe others (10025/10026) are also
necessary)

In the kolab admin panel add your SMTP-"Smarthost/Relayhost"
and at last run:
# postmap /etc/postfix/sasl_passwd
# postmap /etc/postfix/tls_policy
# kolabconf

Btw: I get my mails from the smarthost via fetchmail and the following
configuration:
####
defaults
no dns
envelope X-Original-To
set postmaster "postmaster at local.domain"
poll smart.host.domain
localdomains local.domain
proto pop3
user "webuser"
pass "webpassword"
to *
#fetchall
#keep # For testing, comment out and use fetchall for live
ssl
sslfingerprint 'AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA'
smtphost mykolabhost.local.domain
dropdelivered
####

I got my fingerprints with:
#openssl s_client -connect smart.host.domain:995 -showcerts | openssl
x509 -fingerprint -noout -md5

#openssl s_client -starttls smtp -crlf -connect smart.host.domain:25
-showcerts | openssl x509 -fingerprint -noout -md5

This is not the securest way, but here it is a one-time-insecurity
to trust those hashes and for me there's no other way to get those
fingerprints.

Did I forgot something!? For me it works. :-)

Regards
Michael


PS: Debian 6.0 with included Kolab 2.2.4 and Postfix 2.7.1; no openpkg

-- 
* ...steckt mehr drin, als man denkt : http://der-he.de/ *

More information about the users mailing list