mailbox.iai.uni-bonn.de

mailbox.
iai.uni-bonn.de

Institut für Angewandte Informatik III
Rheinische Friedrich-Wilhelms-Universität Bonn
Systemgruppe Angewandte Informatik

	Home
	Dienste Postfix SMTP Server Transport Anti Viren/Spam Server <1 Spammail / Tag? Cyrus IMAP Server Filter-/Speicherung Webmail Lists
	Tools Squirrelmail [incl. Filter-Plugin avelsieve] Websieve
	Konfiguration Konfigurationsdaten Hinweise zu einzelnen clients stunnel
	Ansprechpartner Bei Fragen beachten! Kontakt
	Allg. Information Netzwerkstrukturplan Mail
	Sonstiges rund um eMail all-... Verteiler

Configuration local Postfix in computer science networks

Described below the procedure coordinated with GSG for sending emails from a local system.
Authentication and authorization by own certificate instead of your personal account credentials.
[Certificate based installations after 2013/2014 should still be working with valid certificates ]

You will require

a local system with running Postfix MTA
suitable TLS certificate and the corresponding private-key of course
for certificates not signed by Uni-Bonn CA
the issuer provided certificate chain of intermediate certificates to close the gap between the issuer certificate and its Root CA

Notes on your Certificate:

The extendedKeyUsage of your certificate has to contain clientAuth (*).
Otherwise you cannot initiate TLS connections with that certificate.

We only need the following information sent to postmaster by email:

output of the following command ...
```
openssl x509 -fingerprint -purpose -text -noout -in certificatefile.pem
		
```
[* it also shows wether "SSL client" / "TLS Web Client Authentication" is allowed]
the specification of the (existing) local sender address(es) to be bound to and authorized with this certificate
the recipient(s) or class of recipients / purpose of the mailings.

Notes on your Postfix configuration

Find simple postconf command(s) to check and set the main.cf parameters at the end!
You want to verify postconf's output. In particular the path and content of the tls_smtp_ ... references (key and cert).

We will explain each aspect for better understanding.
By default Postfix parameters are controlled via the configuration file /etc/postfix/main.cf.
The following parameters must be active (descriptions in round brackets for your convenience).

Super-user rights required to change.
Emphazised placeholders are to be replaced appropriately.
Attention: At least in SuSe Linux distributions parameter literals are often included several times in default main.cf !
Example for domain informatik.uni-bonn.de (adapt where necessary):

inet_interfaces = loopback-only
(no further email services allowed)
1. mydestination = $myhostname, localhost.$mydomain, localhost
  (default)
2. mydestination =
  (to never save mail locally)
IF NOT set properly by default (i.e. on SuSe) - see postconf check section below:
- mydomain = informatik.uni-bonn.de
- myhostname = myhost.informatik.uni-bonn.de
relayhost = [smtp.iai.uni-bonn.de]:585
(send messages via specified relayhost / note the "[]"!)
smtp_tls_cert_file = /etc/postfix/keycertchain.pem
(path to combined file (readable only by root) in PEM format including at least
- private-key
- optional settings
- certificate corresponding to your private-key
- intermediate ca certificate chain (depending on own certificate's CA / issuer)
We use `cat private-key.pem opt.pem cert.pem chain.pem > keycertchain.pem` to create a single file.
Note: to combine GEANT certificate chain you will need the first and the last provided link from the support@cert-manager.com's email: as Intermediate(s)/Root only, PEM encoded
The links in between may not be usable unmodified due to wrong certificate order as of our experiences!
If you prefer you can configure other postfix parameters here and for the next item to make use of single files. )
smtp_tls_key_file = ${smtp_tls_cert_file}
(use same parameter value)
smtp_tls_security_level = encrypt
(use tls unconditionally)

Changes on running configuration have to be activated via postfix reload

The actual configuration should be checked via postconf:

# postconf | egrep '^(inet_interfaces|mydestination|mydomain|myhostname|relayhost|smtp_tls_((cert|key)_file|CApath|security_level)) ='
inet_interfaces = loopback-only
mydestination =  $myhostname, localhost.$mydomain, localhost
mydomain = informatik.uni-bonn.de
myhostname = myhostname.informatik.uni-bonn.de
relayhost = [smtp.iai.uni-bonn.de]:585
smtp_tls_cert_file = /etc/postfix/keycertchain.pem
smtp_tls_key_file = ${smtp_tls_cert_file}
smtpd_tls_CApath = /path/to/openssl/ssl/certs
smtp_tls_security_level = encrypt

The actual configuration can be manipulated via postconf also:

postconf -e inet_interfaces=loopback-only
postconf -e mydomain=informatik.uni-bonn.de
postconf -e myhostname=myhostname.informatik.uni-bonn.de
postconf -e smtp_tls_cert_file=/etc/postfix/keycertchain.pem
postconf -e smtp_tls_key_file=\$\{smtp_tls_cert_file\}
postconf -e smtp_tls_security_level=encrypt
postconf -e relayhost=[smtp.iai.uni-bonn.de]:585

(note the shell-dependend quotation of the $ and {} characters and do not forget to adapt the real hostname)

If you have further questions about the installation or configuration of the software Postfix please consult your local system maintenance.