I recently fancied sending mails from my Linux box at home. I decided to use postfix, as I've had some dealings with sendmail at work and while it wasn't too bad, throughout my whole working life, everyone has always moaned about how hard it is to use.
I used someone else's tutorial, of course, it's here. I wonder who was the very first person to work all this stuff out?
So, first set up your postfix. Add the following lines to /etc/postfix/main.cf:
smtp_use_tls = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
Most of that stuff as to allow postfix to authenticate with Gmail using SSL, I think. It's all very well supplying your password, but Gmail's SMTP setup requires more than that to believe you are who you say you are, and not some evil spambot.
This means setting up SSL. Forgive me if it sounds like I don't know what I'm talking about here: I don't really -still a bit iffy on SSL. I've dealt with SSH for years, however, so I have a good grasp of what's going on with public-key encryption, I've just never had to deal with SSL before. What this does is to generate a public/private key pair. You encrypt stuff using your private key, and the receiver can use the public key to decrypt it, but it is nigh on impossible to reverse engineer a public key from scratch, so your data is theoretically very safe.
Here's how it's done, using a combination of other people's tutorials (this is a good one), and what I managed to pull out of my bash history.
This bit sets up the certificate:
# /etc/ssl/misc/CA.pl -newca Making CA certificate ... Generating a 1024 bit RSA private key ..........++++++ .........++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: <type a password here>
Verifying - Enter PEM pass phrase: <retype the password> -----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <enter>
State or Province Name (full name) [Some-State]: <enter>
Locality Name (eg, city) []: <enter>
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <enter>
Organizational Unit Name (eg, section) []: <enter>
Common Name (eg, YOUR name) []: <your name>
Email Address []: <your email>
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <enter>
An optional company name []: <enter>
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: <same password as before>
Check that the request matches the signature
Signature ok
This bit sets up the SSL key pair:
Fill in your own values for this bit, I don't think they're actually used for anything:
# openssl req -new -nodes -subj '/CN=<some value>/O=<org>/C=<country>/ST=<state>/L=<location>/emailAddress=<email address>' -keyout FOO-key.pem -out FOO-req.pem -days 3650Then:
# openssl ca -out FOO-cert.pem -infiles FOO-req.pem
# cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
# chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
# chmod 400 /etc/postfix/FOO-key.pem
..and that's that. Now you have to tell postfix how to log in. This is done by pointing it to a password hash, to save you having to put the actual password in the main postfix config file, this is shown by the line in /etc/postfix/main.cf:
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
So, populate this file as follows:
[smtp.gmail.com]:587<email_address@gmail.com>:<password>
But this won't work until the password is hashed, as I found out the other day, and as is in fact specified by the "hash:" bit in the config. I loves me some hash. Corned beef hash, that is.
# postmap /etc/postfix/sasl_password
And that's it. Enjoy, hope this helps someone somewhere.
No comments:
Post a Comment