CentOS 7.1: Install StartSSL CA Certificate
A few months ago I configured Postfix on my CentOS 7.0 VPS to accept a TLS client certificate from my laptop, instead of a password. My client certificate was obtained from StartSSL, who have a rather convoluted process but seem to be the best value CA out there.
Last week CentOS 7.1 became available. I did a yum update, and rebooted, it all seemed to go without a hitch. Until I tried to send an email. My server was logging ‘certificate verification failed’.
After a bit of research, I figured that the problem might be with the StartSSL certificate chain. Time to figure out how to add it to the system. Turns out its fairly easy:
Step One: Fetch the startssl bundle and put it in the right directory
cd /etc/pki/ca-trust/source/anchors curl -o startssl-ca-bundle.pem http://www.startssl.com/certs/ca-bundle.pem
Step Two: Rebuid the trust database
update-ca-trust
Step Three: Restart Postfix
service postfix restart
And that takes care of that. I wish Postfix/OpenSSL had some better diagnostics when things go wrong, it would reduce the amount of guesswork required.
Postfix SASL support for sshguard
sshguard is a great tool for securing internet-facing servers. I've been using it for some some to protect from ssh brute-force attacks and IMAP server attacks.
However, the current version does not include attack signatures for Postfix, and my servers are seeing hundreds of brute-force connection attempts. These show up in logs like:
Oct 19 19:56:07 longbeach postfix/smtpd[2309]: warning: unknown[199.19.110.207]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Oct 19 19:56:21 longbeach postfix/smtpd[2309]: warning: unknown[199.19.110.207]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Anyway, I decided to check out the code and look at adding support for these lines. It was fairly simple, the only real complication was that the yacc-based parser did not accept the two-part process name ("postfix/smtpd"). A quick rule tweak took care of that.