0

SMTP: How to install and secure it on Linux (CentOS 6)

Secure configuration for Linux for this exercise will involve the installation of Postfix. It ships by default with CentOS 6 but may not be installed depending on the packages selected. To install Postfix:

  • sudo yum install postfix

Next Postfix needs to be configured. In the file /etc/postfix/main.cf, run sudo nano /etc/postfix/main.cf and uncomment and change the following lines to the correct values for the system in question:

  • myhostname = server.hostname.com
  • mydomain = domain.com
  • myorigin = $mydomain
    • This is the domain name that local email appears to have come from and is delivered to (CentOS, 2011)
  • inet_interfaces = all
    • This determines what interfaces Postfix should receive mail on
  • mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
    • This is a list of domains to deliver mail to (CentOS, 2011)
  • mynetworks = 192.168.0.0/24, 127.0.0.0/8
    • Tells Postfix to only send or receive mail from a whitelist of networks
  • relay_domains =
    • Normally this option allows the administrator to list what destination domains the system should relay mail to, but by leaving this blank it ensures the mail server is not acting as an open relay (CentOS, 2011)
  • home_mailbox = Maildir/

Mailboxes need to be created for each user. While this could easily be automated in a script, the commands necessary are (replace <user> with the proper username)(CentOS, 2011):

  • mkdir /home/<user>/Maildir
  • chown <user>:<user> /home/<user>/Maildir
  • chmod -R 700 /home/<user>/Maildir

For security purposes, it is prudent to use the /etc/aliases file to obscure the usernames of users on the system. Otherwise, if an attacker finds a valid email address for the domain, they will also know what the user’s login name is based on their address. The structure of the file simply follows the alias:username format for entries, so a user named Shlomo Yarosevic with username “shlomo” might take the format syarosevic: shlomo. Once the file is finished being edited, the newaliases command should be run to rebuild the alias database (CentOS, 2011).

Next, Postfix should be configured to operate over TLS. This will require the use of a certificate and private key, both in PEM format (Postfix, n.d.). If such are not available, they can be generated using the following commands (“Simple SSL Cert”, n.d.):

  • openssl genrsa -out privkey.pem 1024
    • Creates a new private RSA key of 1024 bit length
  • openssl req -new -key privkey.pem -out certreq.csr
    • Creates a certificate signing request using the private key
  • openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem
    • Self-sign the signing request using the private key

The certificate should be stored in the /etc/postfix directory and be readable only by root (Postfix, n.d.).

  • sudo chown root:root newcert.pem
  • sudo chmod 400 newcert.pem
  • sudo mv newcert.pem /etc/postfix/

Make Postfix run at startup:

  • sudo chkconfig –level 345 postfix on
  • sudo /etc/init.d/postfix restart

Unless specified otherwise in the configuration file, port 25 needs to be opened on the firewall to allow SMTP communications.

Leave a Reply