1. Instalación y configuracion de servidor smtp con postfix, sasl y directorio activo en Debian GNU/Linux 9 Stretch

Esta es una serie de artículos que voy a publicar para instalar un servidor de correos completos utilizando Debian GNU/Linux Stretch.  Servidor de correo Debian GNU/Linux 9 Stretch postfix, dovecot, sasl, spamassassin, opendkim, opendmarc, policyd-spf, fail2ban, postfwd

En esta ocasion realizaré una instalación y configuracion de un servidor smtp totalmente funcional utilizando postfix, sasl y directorio activo (windows 2016) en Debian GNU/Linux 9 Stretch.

Inicialmente tenemos que tener bien configurado nuestro servidor dns y nuestra ip del servidor de correo con una ip publica.

ejecutamos el siguiente comando para comprobar
mail:~# dig MX +short dominio.com
10 mail.dominio.com.

Instalamos los paquetes siguientes

root@mail:~# apt install postfix postfix-ldap sasl2-bin libsasl2-modules

Leyendo lista de paquetes... Hecho

Creando árbol de dependencias

Leyendo la información de estado... Hecho

Se instalarán los siguientes paquetes adicionales:

bzip2 db-util db5.3-util dh-python file libicu57 libldap-2.4-2 libldap-common libmagic-mgc libmagic1

libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libsasl2-2 libsasl2-modules-db

mime-support openssl postfix-sqlite python3 python3-minimal python3.5 python3.5-minimal ssl-cert xz-utils

Paquetes sugeridos:

bzip2-doc libdpkg-perl libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap

libsasl2-modules-otp libsasl2-modules-sql ca-certificates procmail postfix-mysql postfix-pgsql postfix-pcre

postfix-lmdb dovecot-common resolvconf postfix-cdb mail-reader ufw postfix-doc python3-doc python3-tk

python3-venv python3.5-venv python3.5-doc binutils binfmt-support openssl-blacklist

Se instalarán los siguientes paquetes NUEVOS:

bzip2 db-util db5.3-util dh-python file libicu57 libldap-2.4-2 libldap-common libmagic-mgc libmagic1

libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libsasl2-2 libsasl2-modules

libsasl2-modules-db mime-support openssl postfix postfix-ldap postfix-sqlite python3 python3-minimal

python3.5 python3.5-minimal sasl2-bin ssl-cert xz-utils

0 actualizados, 29 nuevos se instalarán, 0 para eliminar y 0 no actualizados.

Se necesita descargar 1,308 kB/17.0 MB de archivos.

Se utilizarán 69.8 MB de espacio de disco adicional después de esta operación.

¿Desea continuar? [S/n]

Seleccionamos sitio de internet

Colocamos el nombre del servidor

 

root@mail:~# cat /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first

# line of that file to be used as the name. The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no

# appending .domain is the MUA's job.

append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on

# fresh installs.

compatibility_level = 2

# TLS parameters

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

myhostname = mail.dominio.com

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydestination = $myhostname, mail.dominio.com, localhost.dominio.com, , localhost

relayhost =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

inet_protocols = all

root@mail:~# cat /etc/postfix/master.cf

#

# Postfix master process configuration file. For details on the format

# of the file, see the master(5) manual page (command: "man 5 master" or

# on-line: http://www.postfix.org/master.5.html).

#

# Do not forget to execute "postfix reload" after editing this file.

#

# ==========================================================================

# service type private unpriv chroot wakeup maxproc command + args

# (yes) (yes) (no) (never) (100)

# ==========================================================================

smtp inet n - y - - smtpd

#smtp inet n - y - 1 postscreen

#smtpd pass - - y - - smtpd

#dnsblog unix - - y - 0 dnsblog

#tlsproxy unix - - y - 0 tlsproxy

#submission inet n - y - - smtpd

# -o syslog_name=postfix/submission

# -o smtpd_tls_security_level=encrypt

# -o smtpd_sasl_auth_enable=yes

# -o smtpd_reject_unlisted_recipient=no

# -o smtpd_client_restrictions=$mua_client_restrictions

# -o smtpd_helo_restrictions=$mua_helo_restrictions

# -o smtpd_sender_restrictions=$mua_sender_restrictions

# -o smtpd_recipient_restrictions=

# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

# -o milter_macro_daemon_name=ORIGINATING

#smtps inet n - y - - smtpd

# -o syslog_name=postfix/smtps

# -o smtpd_tls_wrappermode=yes

# -o smtpd_sasl_auth_enable=yes

# -o smtpd_reject_unlisted_recipient=no

# -o smtpd_client_restrictions=$mua_client_restrictions

# -o smtpd_helo_restrictions=$mua_helo_restrictions

# -o smtpd_sender_restrictions=$mua_sender_restrictions

# -o smtpd_recipient_restrictions=

# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

# -o milter_macro_daemon_name=ORIGINATING

#628 inet n - y - - qmqpd

pickup unix n - y 60 1 pickup

cleanup unix n - y - 0 cleanup

qmgr unix n - n 300 1 qmgr

#qmgr unix n - n 300 1 oqmgr

tlsmgr unix - - y 1000? 1 tlsmgr

rewrite unix - - y - - trivial-rewrite

bounce unix - - y - 0 bounce

defer unix - - y - 0 bounce

trace unix - - y - 0 bounce

verify unix - - y - 1 verify

flush unix n - y 1000? 0 flush

proxymap unix - - n - - proxymap

proxywrite unix - - n - 1 proxymap

smtp unix - - y - - smtp

relay unix - - y - - smtp

# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq unix n - y - - showq

error unix - - y - - error

retry unix - - y - - error

discard unix - - y - - discard

local unix - n n - - local

virtual unix - n n - - virtual

lmtp unix - - y - - lmtp

anvil unix - - y - 1 anvil

scache unix - - y - 1 scache

#

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# Many of the following services use the Postfix pipe(8) delivery

# agent. See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

#

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

#

maildrop unix - n n - - pipe

flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

#

# ====================================================================

#

# Recent Cyrus versions can use the existing "lmtp" master.cf entry.

#

# Specify in cyrus.conf:

# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4

#

# Specify in main.cf one or more of the following:

# mailbox_transport = lmtp:inet:localhost

# virtual_transport = lmtp:inet:localhost

#

# ====================================================================

#

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

#

#cyrus unix - n n - - pipe

# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

#

# ====================================================================

# Old example of delivery via Cyrus.

#

#old-cyrus unix - n n - - pipe

# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

#

# ====================================================================

#

# See the Postfix UUCP_README file for configuration details.

#

uucp unix - n n - - pipe

flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

#

# Other external delivery methods.

#

ifmail unix - n n - - pipe

flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp unix - n n - - pipe

flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient

scalemail-backend unix - n n - 2 pipe

flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

mailman unix - n n - - pipe

flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

${nexthop} ${user}

root@mail:~# ss -tan

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 128 *:22 *:*

LISTEN 0 100 *:25 *:*

LISTEN 0 128 :::22 :::*

LISTEN 0 100 :::25 :::*

Configuracion sasl con postfix

Me base en el siguiente enlace https://wiki.debian.org/PostfixAndSASL

Creamos el archivo

root@mail3:/etc/postfix# cat /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd

mech_list: PLAIN LOGIN

root@mail3:/etc/postfix# cp /etc/default/saslauthd /etc/default/saslauthd-postfix

copiamos y configuramos

Nos debe quedar de la siguiente manera:

root@mail3:/etc/postfix# cat /etc/default/saslauthd-postfix | grep -v "#"

START=yes

DESC="SASL Authentication Daemon for postfix"

NAME="saslauthd-postf"

MECHANISMS="ldap"

MECH_OPTIONS=""

THREADS=5

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Ejecutamos el siguiente comando

root@mail:~# systemctl restart saslauthd

root@mail:~# systemctl status saslauthd

● saslauthd.service - LSB: saslauthd startup script

Loaded: loaded (/etc/init.d/saslauthd; generated; vendor preset: enabled)

Active: active (running) since Thu 2019-02-14 11:02:01 CST; 33s ago

Docs: man:systemd-sysv-generator(8)

Process: 3034 ExecStop=/etc/init.d/saslauthd stop (code=exited, status=0/SUCCESS)

Process: 3060 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS)

Tasks: 5 (limit: 4915)

CGroup: /system.slice/saslauthd.service

├─3081 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5

├─3082 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5

├─3083 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5

├─3084 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5

└─3085 /usr/sbin/saslauthd -a ldap -c -m /var/spool/postfix/var/run/saslauthd -n 5

feb 14 11:02:01 mail.dominio.com systemd[1]: Stopped LSB: saslauthd startup script.

feb 14 11:02:01 mail.dominio.com systemd[1]: Starting LSB: saslauthd startup script...

feb 14 11:02:01 mail.dominio.com saslauthd[3060]: To enable saslauthd, edit /etc/default/saslauthd and set START=

yes ... (warning).

feb 14 11:02:01 mail.dominio.com saslauthd[3081]: : master pid is: 3081

feb 14 11:02:01 mail.dominio.com saslauthd[3081]: : listening on socket: /var/spool/postfix/var/r

un/saslauthd/mux

feb 14 11:02:01 mail.dominio.com saslauthd[3060]: Starting SASL Authentication Daemon: saslauthd-postf.

feb 14 11:02:01 mail.dominio.com systemd[1]: Started LSB: saslauthd startup script.

Configuramos postfix para que acepte la autenticacion sasl de la siguiente manera:

postconf -e 'smtpd_sasl_local_domain = $myhostname'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'

Ejecutamos los siguientes comandos

systemctl restart postfix

systemctl status postfix

● postfix.service - Postfix Mail Transport Agent

Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)

Active: active (exited) since Thu 2019-02-14 11:06:03 CST; 11ms ago

Process: 3267 ExecStart=/bin/true (code=exited, status=0/SUCCESS)

Main PID: 3267 (code=exited, status=0/SUCCESS)

feb 14 11:06:03 mail.dominio.com systemd[1]: Starting Postfix Mail Transport Agent...

feb 14 11:06:03 mail.dominio.com systemd[1]: Started Postfix Mail Transport Agent.

Conexion sasl hacia los servidores de dominio

Creamos el siguiente archivo /etc/saslauthd.conf con el siguiente contenido.

ldap_servers: ldap://192.168.112.250/, ldap://192.168.122.250/

ldap_search_base: ou=Usuarios,dc=dominio,dc=local
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: CN=usuarioldap,OU=Usuarios,DC=midominio,DC=local
ldap_password: clavedeusuario
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3

ldap_auth_method: bind

Cambiamos los permisos

chown root:sasl /etc/saslauthd.conf

chmod 644 /etc/saslauthd.conf

dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

agregamos el usuario postfix al grupo sasl

adduser postfix sasl

Añadiendo al usuario `postfix' al grupo `sasl' ...
Añadiendo al usuario postfix al grupo sasl
Hecho.

Reiniciamos el servicio

systemctl restart saslauthd

Probamos la conexión.

testsaslauthd -u sosorio@dominio.sv -p secret -f /var/spool/postfix/var/run/saslauthd/mux

0: OK "Success."

Configuración Postfix y Seguridad sasl

Ejecutamos los siguientes comandos

postconf -e smtp_tls_note_starttls_offer=yes
postconf -e smtpd_tls_loglevel=0
postconf -e smtpd_tls_received_header=yes
postconf -e broken_sasl_auth_clients=yes
postconf -e smtpd_sasl_auth_enable=yes
postconf -e smtpd_tls_security_level=may
postconf -e smtpd_client_new_tls_session_rate_limit=10
postconf -e smtpd_sasl_authenticated_header=yes

postconf -e smtpd_tls_auth_only=yes
postconf -e smtp_use_tls=yes
postconf -e smtpd_sasl_auth_enable=yes
postconf -e local_recipient_maps=
postconf -e smtpd_use_tls=yes
postconf -e smtp_tls_note_starttls_offer=yes
postconf -e smtpd_tls_loglevel=1
postconf -e smtpd_tls_received_header=yes
postconf -e smtpd_tls_session_cache_timeout=3600s
postconf -e tls_random_source=dev:/dev/urandom

postconf -e smtpd_sasl_path=private/auth
postconf -e queue_directory=/var/spool/postfix

postconf -e smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_scache
postconf -e smtp_tls_session_cache_database=btree:${data_directory}/smtp_scache

postconf -e 'smtpd_tls_exclude_ciphers = EXP EDH-RSA-DES-CBC-SHA ADH-DES-CBC-SHA DES-CBC-SHA SEED-SHA'
postconf -e smtpd_tls_dh512_param_file=${config_directory}/certs/dh_512.pem
postconf -e smtpd_tls_dh1024_param_file=${config_directory}/certs/dh_1024.pem
postconf -e smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3


Configuración de la base de direcciones de correo
Para esto se creará el archivo /etc/postfix/ldap_virtual_recipients.cf

mail:/etc/postfix# cat ldap_virtual_recipients.cf 

server_host = ldap://192.168.112.250

ldap://192.168.122.250

server_port = 389

version = 3

bind = yes

startt_tls = no

bind_dn = CN=usuarioldap,OU=Usuarios,DC=dominio,DC=local

bind_pw = clavedeusuario

search_base = ou=Usuarios,dc=dominio,dc=local

scope = sub

query_filter = (&(mail=%s)(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

result_attribute = mail

Ejecutamos el siguiente comando
postconf -e 'virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf'

Reenvío de correo con directorio activo
La siguiente configuración es para hacer un redireccionamiento desde una cuenta a otra, se utiliza en el directorio activo el campo mailNickname este solo puede ser accesado desde la opción "Editor de atributos" en las propiedades avanzadas.



Se creará el archivo /etc/postfix/ldap_virtual_aliases.cf

mail:/etc/postfix# cat ldap_virtual_aliases.cf 

server_host = ldap://192.168.112.250

ldap://192.168.122.250

server_port = 389

version = 3

bind = yes

start_tls = no

bind_dn = CN=usuarioldap,OU=Usuarios,DC=dominio,DC=local

bind_pw = clavedeusuario

search_base = DC=dpminio,DC=local

scope = sub

query_filter = (&(mailNickname=%s)(objectclass=person))

result_attribute= info, mailNickname

Creación de lista de correo desde un grupo de AD

Creamos el archivo /etc/postfix/ldap_virtual_groups.cf con el siguiente contendo

mail:/etc/postfix# cat ldap_virtual_groups.cf

server_host = ldap://192.168.112.250

ldap://192.168.122.250

search_base = OU=Lista de Correos,OU=Usuarios,DC=dominio,DC=local

version = 3

query_filter = (&(objectClass=group)(mail=%s))

leaf_result_attribute = mail

special_result_attribute = member

bind = yes

bind_dn = CN=usuarioldap,OU=Usuarios,DC=dominio,DC=local

bind_pw = clavedeusuario

Ejecutamos el siguiente comando

postconf -e 'virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_groups.cf,proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf'

Cambiamos los permisos

chgrp postfix /etc/postfix/ldap_*.cf
chmod u=rw,g=r,o= /etc/postfix/ldap_*.cf

Probamos la configuracion
postmap -q sosorio@midominio.sv ldap:/etc/postfix/ldap_virtual_recipients.cf

Activando smtp seguro (SMTPS)
Para activar smtps realiazamos las siguientes configuraicones

Modificamos el archivo /etc/postfix/master de la siguiente manera:

Pare abrir el puerto seguro 587 descomentamos las siguientes lineas:

submission inet n - y - - smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=may

-o smtpd_sasl_auth_enable=yes

Pare el puerto seguro 465 descomentamos las siguientes lineas:

smtps inet n - y - - smtpd

-o syslog_name=postfix/smtps

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

Reiniciamos postfix
systemctl restart postfix

root@mail:~# ss -tan
State      Recv-Q Send-Q           Local Address:Port                          Peer Address:Port              
LISTEN     0      100                          *:587                                      *:*                  
LISTEN     0      100                          *:465                                      *:*                  
LISTEN     0      128                          *:22                                       *:*                  
LISTEN     0      100                          *:25                                       *:*                  
LISTEN     0      100                         :::587                                     :::*                  
LISTEN     0      100                         :::465                                     :::*                  
LISTEN     0      128                         :::22                                      :::*                  
LISTEN     0      100                         :::25                                      :::*                  

Creamos el archivo virtual_domains
mail3:/etc/postfix# cat virtual_domains
dominio.com             OK
dominio.sv              OK

Ejecutamos los siguiente comandos
postmap virtual_domains
postconf -e virtual_mailbox_domains=hash:/etc/postfix/virtual_domains
postconf -e virtual_mailbox_base=/var/vmail/
Reiniciamos postfix
systemctl restart postfix

Hasta  aquí ya esta configurado nuestro servidor de correo smtp, pero todavía no existen 
los buzones, sin embargo ya deberiamos poder enviar correos si el dns esta correctamente 
configurado y el servidor tiene una ip pública.

mail:/etc/postfix# dig MX +short dominio.com
10 mail.dominio.com.

Donde mail.dominio.com. esta vinculado a una ip publica asignada a nuestro servidor de correos

Aquí les dejo el log del correo enviado.

root@mail:/etc/default# grep 3EADB5FCEC: /var/log/mail.log 

Feb 14 13:44:50 mail postfix/smtpd[5027]: 3EADB5FCEC: client=unknown[192.168.145.80], sasl_method=PLAIN, sasl_username=sosorio@dominio.com

Feb 14 13:44:50 mail postfix/cleanup[5032]: 3EADB5FCEC: message-id=<eea0711b-a469-bd3c-b1d1-d5049f9ff628@dominio.com>

Feb 14 13:44:50 mail postfix/qmgr[5025]: 3EADB5FCEC: from=<sosorio@dominio.com>, size=40722, nrcpt=1 (queue active)

Feb 14 13:44:51 mail postfix/smtp[5033]: 3EADB5FCEC: to=<sosoriosv@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.141.26]:25, delay=0.94, delays=0.02/0.01/0.4/0.51, dsn=2.0.0, status=sent (250 2.0.0 OK 1550173491 v8si1631569vso.63 - gsmtp)

Feb 14 13:44:51 mail postfix/qmgr[5025]: 3EADB5FCEC: removed

Servidor de correo Debian GNU/Linux 9 Stretch postfix, dovecot, sasl, spamassassin, opendkim, opendmarc, policyd-spf, fail2ban, postfwd