smtp relay auth with rimap, postfix on centos 7

0
1914

Halo sobat sekolahlinux šŸ˜€ berjumpa lagi dengan saya, kali ini saya akan menjelaskan bagaimana cara membuat smtp relay dengan authentikasi via rimap pada centos 7, oke ini dia hasil riset saya mencari-cari selama 1 minggu lebih :p ini.

detail server smtp relay:

smtpĀ relay =Ā relay.sekolahlinux.com

ip publicĀ =Ā 232.111.111.11 <<== SAMPLE/CONTOH

saya beranggapan kalau kalian sudah install centos 7 dan install postfix, dan sekarang kita akan create sertifikat ssl untuk keperluan authentikasi smtp relay yang akan kita buat. dalam generet file key dan crt ssl nya kita bisa lakukan sendiri ataupun kita bisa ke website cacert.org šŸ˜€ , Ā untuk pembuatan ssl certifiednya ada 2 cara jadi kalian bisa mencoba salah satu cara dibawah ini

  1. http://sekolahlinux.com/create-self-signed-ssl-certificate-membuat-sendiri-sertifikat-ssl-dengan-openssl/
  2. http://sekolahlinux.com/generate-ssl-certificate-via-cacert-org/

jika sudah nantinya file akan di letaknya di script /etc/postfix/main.cfĀ seperti dibawah, jangan lupa copykan file certificate sll *.CRT dan *.KEY yang sudah di generate ke folder /etc/postfix/sslbaru , jika belum ada foldernya dibuat dulu ya

smtpd_tls_cert_file = /etc/postfix/sslbaru/sekolahlinux.com.crt
smtpd_tls_key_file = /etc/postfix/sslbaru/sekolahlinux.com.key

jika sudah saatnya kita config postfixnya dan saslauthd, buat yang belum install postfix dan cyrus sasl

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain

jika sudah edit file /etc/postfix/main.cfĀ seperti dibawah

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = relay.sekolahlinux.com
mydomain = sekolahlinux.com
inet_interfaces = all
inet_protocols = all
unknown_local_recipient_reject_code = 550
mynetworks_style = host
mynetworks =
	127.0.0.1
	#202.148.1.50
	#hash:/etc/postfix/mynetworks

#alias_maps = hash:/etc/aliases
#alias_database = hash:/etc/aliases
debug_peer_level = 2
smtpd_banner = $myhostname ESMTP

debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5

relay_domains =
        $mydestination
#	hash:/usr/local/etc/postfix/relay_domains

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 5m
minimal_backoff_time = 2m
queue_run_delay = 2m
smtpd_helo_required = yes
message_size_limit = 28708746
smtpd_error_sleep_time = 2s
#transport_maps = hash:/etc/postfix/transport

smtpd_sender_restrictions =
#        check_sender_access hash:/usr/local/etc/postfix/sender_access

smtpd_recipient_restrictions =
#        check_recipient_access hash:/usr/local/etc/postfix/recipient_access
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination


#sasl authentication & tls
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = yes
#smtpd_tls_CAfile =  /etc/certs/DigiCertCA.crt
smtpd_tls_cert_file = /etc/postfix/sslbaru/sekolahlinux.com.crt
smtpd_tls_key_file = /etc/postfix/sslbaru/sekolahlinux.com.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#smtpd_sasl_authenticated_header = no

edit file /etc/postfix/master.cf seperti dibawah

smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy


submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_client_connection_count_limit=100
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_client_connection_count_limit=100
  -o smtpd_client_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject

lalu edit fileĀ /etc/sasl2/smtpd.conf seperti dibawah

pwcheck_method: saslauthd
mech_list: plain login

lalu edit file /etc/sysconfig/saslauthd untuk mengaktifkan authentikasi via rimap seperti dibawah, ganti sekolahlinux.com dengan url server tujuan pengecekan imap.

# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR="/var/run/saslauthd"

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH="rimap -r"

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS="-O sekolahlinux.com"

jika sudah jalankan servicenya

systemctl restart saslauthd.service
systemctl restart postfix.service
systemctl enable saslauthd.service
systemctl enable postfix.service

sebelumnya jangan lupa check dahulu apakah server tujuan rimap support auth PLAIN & LOGIN atau tidak

[root@relay akbar]# telnet sekolahlinux.com 143
Trying 202.148.1.50...
Connected to sekolahlinux.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a logout
* BYE Logging out
a OK Logout completed.
Connection closed by foreign host.
[root@relay akbar]#

jika jawabannya seperti diatas maka server tujuan support PLAIN & LOGIN dengan mode RIMAP

namun jika sertujuan ternyata memberikan jawaban seperti dibawah ini maka server tujuan tidak supportĀ PLAIN & LOGIN dengan mode RIMAP

[root@relay akbar]# telnet sekolahlinux.com 143
Trying 202.148.1.50...
Connected to sekolahlinux.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
a logout
* BYE Logging out
a OK Logout completed.
Connection closed by foreign host.
[root@relay akbar]#

lalu bagaimana caranya agar server tujuan support untuk mode RIMAP dari server smtp relay, mudah saja pertama kita harus masuk ke server tujuan dalam hal ini berarti server sekolahlinux.com yang berlamat di ip 202.148.1.50 dan kita rubah rule dovecot yang ada di server sekolahlinux.com

[root@server ~]# vim /etc/dovecot/conf.d/10-ssl.conf

lalu rubah baris ini

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
# plain imap and pop3 are still allowed for local connections
ssl = required

menjadi seperti ini

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
# plain imap and pop3 are still allowed for local connections
ssl = yes

jika sudah restart service dovecot nya

systemctl restart dovecot.service

nah jika sudah coba pindah ke server relay.sekolahlinux.com dan coba telnet kembali maka hasilnya akan berubah menjadi seperti dibawah

[root@relay ~]# telnet sekolahlinux.com 143
Trying 202.148.1.50...
Connected to sekolahlinux.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a logout
* BYE Logging out
a OK Logout completed.
Connection closed by foreign host.
[root@relay ~]#

nah sekarang silahkan dicoba smtp relay nya šŸ˜€ ingat jangan lupa cara diatas hanya untuk authentikasi user @sekolahlinux.com jadi kalau anda ingin authentikasi dengan @yourdomain.com kalian harus merubah ruleĀ FLAGS=”-O sekolahlinux.com” menjadiĀ FLAGS=”-O yourserver”

jika authentikasi gagal maka email tidak akan terkirim, kecuali ip public komputer anda dimasukkan kedalam mynetwork di konfigurasi postfix di main.cf

sekian tutorial kali ini

sumber: berbagai sumber banyak bgt google aja deh, toh pada akhirnya saya trial dan error sendiri dan alhamdulillah berhasil šŸ˜€