Sat 01 October 2011

Filed under Email

Tags Cool Geek Security

Relaying with Postfix, SASL, Authentication and TLS

Create All The Files!

/etc/postfix/sasl/saslpass

mail.myserver.com relayuser:my password with spaces


/etc/postfix/tls_policy

[mail.myserver.com]:587 encrypt protocols=TLSv1 ciphers=high
[mail.myserver.com]:msa encrypt protocols=TLSv1 ciphers=high
[mail.myserver.com]:submission encrypt protocols=TLSv1 ciphers=high

Set File Permissions on SASL password file

chown root:root /etc/postfix/sasl/saslpass
chmod 600 /etc/postfix/sasl/saslpass

Hash All The Files!

postmap /etc/postfix/sasl/saslpass
postmap /etc/postfix/tls_policy

Configure All The Postfix!

## Since I am using TLS, I will allow plain text and LOGIN (which are disabled by default
postconf -e "smtp_sasl_security_options = "

## Enable SASL for outgoing SMTP traffic.
postconf -e  "smtp_sasl_auth_enable = yes"

### Add the SASL password map
postconf -e " smtp_sasl_password_maps = hash:/etc/postfix/sasl/saslpass"

### Set the TLS Policy map so that my mail server uses TLS w/ the appropriate policies.
postconf -e " smtp_tls_policy_maps = hash:/etc/postfix/tls_policy"

### Add the relayhost as my upstream mail server, note the format, it's important.
postconf -e "relayhost = [mail.myserver.com]:587"

Brief Explanation

I needed to relay from my in-house Linux box, which runs Postfix (on Ubuntu, incidentally), through my colo-hosted mail server. This recipe will work for Comcast, Verizon, Frontier, and Gmail. Those are the only places I have tested it. All of those mailservers have a Submission port (587) which accepts TLS.

This should work for just about any setup.

Props

There are tons of howto's. I own much to Bens Bits, Patrick Koetter, Postfix Documentation, and of course, Google.

Comment

Thu 19 May 2011

Filed under Sec.

Tags IPsec Lamer Moments Security

Practical Troubleshooting

I love pfSense. So far it's superior to every Linux-based routing appliance. No product is perfect, but the 2.0 release is very promising. I have been troubleshooting tunnels which inexplicably do not work. I have been recieving the following error during phase1 connection:

racoon: ERROR: couldn ...

Read More

Tue 21 September 2010

Filed under Howto

Tags Cool Security

Extreme Networks

We setup a small SAN, using 1Gb networking. We have deployed a NetApp, Extreme Summit x450a and VMware 4.[01] ESXi. Along the way we had some problems, specifically w/ Jumbo Frames.

Our requirements were fairly specific:

  • VMware and Netapp compatible Port Groups (LACP, Trunking, Etherchannel, etc) must ...
Read More

Fri 11 December 2009

Filed under Email

Tags Geek Security

A New Client

A client turned up our first full-time Mail.app Mac user with Snow Leopard today. I was called in because of attachment sending problems. It seems that files around 7MB would attach and send, but anything larger was failing. The entrenched support reported watching logs, etc. IIS ...

Read More

Fri 04 January 2008

Filed under Sec.

Tags Cool Security

If you have to work in networks with any Windows products, coupled with MSDE or SQL Express you will eventually run into memory consumption problems. Apparently no GUI interface deals with it. I have seen numerous complaints on the Internet for sqlservr.exe consuming loads of memory. Some psychos recommend ...

Read More

Tue 30 October 2007

Filed under Politics

Tags Lamer Moments Retarded Secret Messages Security

Listening is a diminishing skill in todays world. People are bombarded by ads and messages with such intensity that we develop our own ability to not hear. Dr Strangeloves 'CRM-114' discriminator is a picture of people in the modern world. The nasty side effects come mostly in interpersonal ways. We ...

Read More

Tue 28 November 2006

Filed under Howto

Tags Cool PostgreSQL Python Security

I hate Apache. I really do. I refuse to vindicate that hatred. There are great aspects about it, but the things I want to do are hampered by things like the sewer-refuse-styled configuration syntax.

I like Nginx. It is fast, simple, and is amazing. It does proxy, reverse proxy, rewrite ...

Read More

Tue 21 November 2006

Filed under Howto

Tags Cool Security

One problem that I have frequently is remembering how to list NFS exports on a remote server. It's really simple:

`showmount`_

osXlt:~ joshua$ showmount -a gambit
All mount points on gambit:
osXlt:~ joshua$ showmount -a forge
All mount points on forge:
*:/data
*,bubbles.mynetwork.com:/data
*,bubbles.mynetwork ...

Read More

Tue 14 November 2006

Filed under Email

Tags Lamer Moments Retarded Security

Task: Upgrade Symantec Antivirus for Microsoft Exchange.
Diffculty: Symantec Continues to Suck.

Despite a clear desire to escape from these things it can be difficult. Todays installment brought a new error: "Please Insert Disk 1". Despite all my best attempts, I could not divine what disk '1' was/is.

After ...

Read More

Fri 01 September 2006

Filed under Email

Tags Cool Security

This is a simple, but cool, recipe for querying Exchange from Postfix. This is used with a Windows 2003 Small Business Server, running (s)Exchange 2003.

We don't often use this, because of the obvious problem of being unable to receive mail when Exchange crashes or must be rebooted ...

Read More

Wed 23 August 2006

Filed under Email

Tags Geek Security

Everyone wants to know what to do with Postfix. I have tried to find a way to publish something. Everyone who does seems to always be out of date.

Not so for this guy or that guy.

Read More

Wed 26 July 2006

Filed under Sec.

Tags Lamer Moments Security

My own private war is with my habits. So often when testing web services, I will setup a name in /etc/hosts allowing a quick and dirty approach to debugging, test, or whatever.

I use kerberos and this is a problem, considering that I added this:

198.145.247.218 ...

Read More

Tue 25 July 2006

Filed under Email

Tags Cool Security

A growing number of small businesses are using Blackberry handhelds. Microsofts services haven't taken off as strong, but in a year or two I suspect Microsofts products will be kings of the market.

For now, we have a wide range of Blackberry services. Most of my clients use the ...

Read More

Thu 22 June 2006

Filed under Sec.

Tags IPsec Security

Cisco VPN concentrators are a regular occurrence in the field. They can be the bane of your life. However, there is one simple change to enable these to consistently work with multiple policy routed subnets.

In your /etc/ipsec.conf use set the policy level to 'unique' instead of 'require ...

Read More

Tue 28 March 2006

Filed under Email

Tags Cool Security

My esteemed colleague Pacopablo has created a Howto on using Postfix with SMTPAUTH. Now, he can relay via his ISP, bypassing certain mail server restrictions due to having a dynamic IP address.

Read More

Wed 15 March 2006

Filed under Howto

Tags Cool Security

My old laptop is broken. It took many abuses. The flickering backlight on the screen. The little black plastic chunks that fell out now and again. The way the harddrive wouldn't stay powered on the battery. *sigh* Those really were the good old days. The 'good old days' ended ...

Read More

Thu 02 February 2006

Filed under Sec.

Tags Cool Security

Shorewall is a firewall administration package for Linux. I use it heavily. It isn't the easiest, nor does it have a GUI front end. However, it is fairly easy to setup complex firewalling with not a lot of work. It is also easy to setup for simple configurations.


  • One-interface ...
Read More

Up To Something © Joshua M Schmidlkofer Powered by Pelican and Twitter Bootstrap. Icons by Font Awesome and Font Awesome More