IMPORTANT: Per accedir als fitxer de subversion: http://acacha.org/svn (sense password). Poc a poc s'aniran migrant els enllaços. Encara però funciona el subversion de la farga però no se sap fins quan... (usuari: prova i la paraula de pas 123456)

Instal·lació

$ sudo apt-get install postfix

Amb tasksel

$ sudo tasksel

Consulteu tasksel.

Configuració

Enviament de correus a través de Gmail

IMPORTANT: oco! L'ordre sendmail -bv sergi DOT tur AT upc.edu només es per a fer un test no envia cap missatge! utilitzeu:

$ sendmail -v acacha@gmail.com < testmsg  

On testmsg és un fitxer de text amb el missatge!

NOTA: Al final sembla que no cal tot el rollo de certificats!!! Només posant:

$ cat /etc/postfix/main.cf
relayhost= [smtp.gmail.com]:587

smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

Creant el fitxer /etc/postfix/sasl_passwd

$ cat /etc/postfix/sasl_passwd
#contents of sasl_passwd
#
[smtp.gmail.com]:587 usuari@gmail.com:password

I xifrant-lo:

$ sudo postmap /etc/postfix/sasl_passwd

Us crearà el fitxer binari:

$ file /etc/postfix/sasl_passwd.db 
sasl_passwd.db: Berkeley DB (Hash, version 9, native byte-order)

Esborreu el fitxer de text per seguretat:

$ sudo rm /etc/postfix/sasl_passwd

I apliqueu els canvis:

$ sudo /etc/init.d/postfix restart

Feu la prova:

$ sendmail -v usuari@gmail.com < testmsg 

Als fitxers apareixerà el missatge:

certificate verification failed for smtp.gmail.com[209.85.229.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Però sembla ser que només és un Warning!



El servei de correu de google requereix del protocol TLS i SASL2. Per poder-se connectar cal tenir:

  • Gmail’s certificate authority (CA)
  • Un certificat d'autoritat propi Certificate Authority (CA).

El primer pas es crear un certificat de CA:

NOTA: Poseu les vostres dades, les de més avall són un exemple

$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate …
Generating a 1024 bit RSA private key
…….++++++
……………….++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase: password
Verifying – Enter PEM pass phrase: password
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:US
State or Province Name (full name) [New York]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) []:Sanborn_Widgets

Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Mark
Email Address []:username@gmail.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok

A:

A challenge password []:
An optional company name []:

No cal que poseu res.

Ara cal crear un certificat de servidor:

NOTA: Poseu els vostres valors!

openssl req -new -nodes -subj '/CN=domain.com/O=Sanborn_Widgets/C=US/ST=New York/L=New York/emailAddress=username@gmail.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650

Signeu el certificat:

# openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from
/usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok

Poseu si a tot el que us pregunti.

Ara cal copiar els certificats:

$ sudo cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
$ sudo chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
$ sudo chmod 400 /etc/postfix/FOO-key.pem

Gmail utilitza el certificat:

Thawte Premium Server CA

Cal posar-lo al final del fitxer /etc/postfix/cacert.pem

-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----

Originalment el podeu trobar a:

www.thawte.com/roots

El podeu baixar i crear-lo vosaltres mateixos amb:

$ wget https://www.thawte.com/roots/thawte_Premium_Server_CA.pem

I afegir-lo amb:

$ sudo bash -c "cat thawte_Premium_Server_CA.pem >> /etc/postfix/cacert.pem"

Ara cal configurar postfix modificant el fitxer /etc/postfix/main.cf:

## TLS Settings
#
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
#
## SASL Settings
# This is going in to THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd

NOTA: Note: When I first added these lines I had a space in front of the first line which would give me errors when trying to run postfix. The only problem was the error was misleading saying there was something wrong with the line above steering me into the wrong direction and I ended up trouble shooting something that wasn’t broke. So make sure you have copied these lines exactly into the bottom of main.cf without and spaces in front of any of the lines.

Ara cal crear el fitxer /etc/postfix/transport:

# Contents of /etc/postfix/transport
#
# This sends mail to Gmail
gmail.com smtp:[smtp.gmail.com]:587
#

Ara cal crear la paraula de pas SASL

#contents of sasl_passwd
#
[smtp.gmail.com]:587 username@gmail.com:password

Protegiu les paraules de pas (hash)

$ sudo postmap sasl_passwd && sudo postmap transport

I apliqueu els canvis:

$ sudo /etc/init.d/postfix restart

Go to your home directory where you made the temporary .pem files in step 1.

cd ~
m FOO-req.pem FOO-cert.pem FOO-key.pem && rm -r demoCA/

Does it work?


Send a test email to yourself, replace username with your actual username. Note this is a test and it only tests to see if it WOULD send. You will not get an email in your Gmail inbox.

sendmail -bv username@gmail.com

Check to see if it went:

cat /var/log/mail.log | tail

If everything went ok you will see something like this in the log

Oct 1 12:22:04 localhost postfix/smtp[21389]: 671AD676BF: to=, relay=smtp.gmail.com[123.233.169.109], delay=3, status=deliverable (delivery via  
smtp.gmail.com[123.233.169.109]: 250 2.1.5 OK)

If it didn’t work out you will see this in the log:

Oct 1 12:21:57 localhost postfix/local[21381]: 4E5BA676BF: to=, orig_to=, relay=local, delay=0, status=undeliverable (delivery via local: unknown user: "user")

Alternative Method

After issuing the sendmail command you can check to see if it worked by checking your local email with any email client. I used mutt.

You can also check the email queue with

postqueue -p

And deleting all messages in queue with

postsuper -d ALL

If all goes well you should know have a working outgoing email server through Gmail’s SMTP. Now you can write scripts on your server to alert you of all sorts of things happening on your server.

Resol·lució de problemes

Certificate verification failed for smtp.gmail.com[209.85.133.111]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

El error apareix a:

$ sudo tail -f /var/log/mail.log

Sembla que Google va canviar de Thawte a Equifax el seu CA.

La solució és:

$ sudo su -
# cat /etc/ssl/certs/Equifax_Secure_CA.pem >> /etc/postfix/cacert.pem

error:02001002:system library:fopen

Si us surt l'error:

32599:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('./demoCA/serial','r')
32599:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:

El el meu cas és que no havia posat el common name.

Vegeu també

Enllaços externs