Postfix
7513
Comment: trivial
|
5636
couple more minor simplfications
|
Deletions are marked like this. | Additions are marked like this. |
Line 12: | Line 12: |
apt-get install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail }}} | apt-get install postfix postfix-tls }}} |
Line 108: | Line 109: |
Restart the postfix daemon like this:{{{ /etc/init.d/postfix restart}}} |
|
Line 111: | Line 114: |
Restart the postfix daemon like this:{{{ /etc/init.d/postfix restart}}} |
Authentication will be done by saslauthd. To install it, type: |
Line 114: | Line 116: |
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following: | {{{ apt-get install libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail }}} We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following: |
Line 155: | Line 161: |
/etc/init.d/saslauthd should now look like this: {{{ #!/bin/sh -e NAME=saslauthd DAEMON="/usr/sbin/${NAME}" DESC="SASL Authentication Daemon" DEFAULTS=/etc/default/saslauthd PWDIR="/var/spool/postfix/var/run/${NAME}" PIDFILE="${PWDIR}/saslauthd.pid" dir="root sasl 755 ${PWDIR}" createdir() { # $1 = user # $2 = group # $3 = permissions (octal) # $4 = path to directory [ -d "$4" ] || mkdir -p "$4" chown -c -h "$1:$2" "$4" chmod -c "$3" "$4" } test -f "${DAEMON}" || exit 0 # Source defaults file; edit that file to configure this script. if [ -e "${DEFAULTS}" ]; then . "${DEFAULTS}" fi # If we're not to start the daemon, simply exit if [ "${START}" != "yes" ]; then exit 0 fi # If we have no mechanisms defined if [ "x${MECHANISMS}" = "x" ]; then echo "You need to configure ${DEFAULTS} with mechanisms to be used" exit 0 fi # Add our mechanimsms with the necessary flag PARAMS="${PARAMS} -a ${MECHANISMS}" START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name ${NAME} -- ${PARAMS}" # Consider our options case "${1}" in start) echo -n "Starting ${DESC}: " #dir=`dpkg-statoverride --list $PWDIR` test -z "$dir" || createdir $dir if start-stop-daemon ${START} >/dev/null 2>&1 ; then echo "${NAME}." else if start-stop-daemon --test ${START} >/dev/null 2>&1; then echo "(failed)." exit 1 else echo "${DAEMON} already running." exit 0 fi fi ;; stop) echo -n "Stopping ${DESC}: " if start-stop-daemon --stop --quiet --pidfile "${PIDFILE}" \ --startas ${DAEMON} --retry 10 --name ${NAME} \ >/dev/null 2>&1 ; then echo "${NAME}." else if start-stop-daemon --test ${START} >/dev/null 2>&1; then echo "(not running)." exit 0 else echo "(failed)." exit 1 fi fi ;; restart|force-reload) $0 stop exec $0 start ;; *) echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0 }}} |
Introduction
ContentsBRTableOfContents |
Postfix is a Mail Transfer Agent (MTA) which is the default MTA for Ubuntu. It is in Ubuntu's main repository, which means that it receives security updates. This guide explains how to install and configure postfix and set it up as an SMTP server using a secure connection.
Installation
In order to install Postfix with SMTP-AUTH and TLS do the following steps:
apt-get install postfix postfix-tls
Configuration
Run:
dpkg-reconfigure postfix
Insert the following details when asked (replacing server1.example.com with your domain name if you have one):
- Internet Site
- NONE
- server1.example.com
- server1.example.com, localhost.example.com, localhost
- No
- 127.0.0.0/8
- 0
- +
Then run the following commands:
postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom' postconf -e 'myhostname = server1.example.com'
The file /etc/postfix/main.cf should now look like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h myhostname = server1.example.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = server1.example.com, localhost.example.com, localhost relayhost = mynetworks = 127.0.0.0/8 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Restart the postfix daemon like this:
/etc/init.d/postfix restart
Authentication
Authentication will be done by saslauthd. To install it, type:
apt-get install libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail
We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd rm -fr /var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the line PARAMS="-m /var/spool/postfix/var/run/saslauthd":
# This needs to be uncommented before saslauthd will be run automatically START=yes PARAMS="-m /var/spool/postfix/var/run/saslauthd" # You must specify the authentication mechanisms you wish to use. # This defaults to "pam" for PAM support, but may also include # "shadow" or "sasldb", like this: # MECHANISMS="pam shadow" MECHANISMS="pam"
Finally we have to edit /etc/init.d/saslauthd. Change the line
dir=`dpkg-statoverride --list $PWDIR`
to
#dir=`dpkg-statoverride --list $PWDIR`
Then change the variables PWDIR and PIDFILE and add the variable dir at the beginning of the file:
PWDIR="/var/spool/postfix/var/run/${NAME}" PIDFILE="${PWDIR}/saslauthd.pid" dir="root sasl 755 ${PWDIR}"
Testing
Now start saslauthd:
/etc/init.d/saslauthd start
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your postfix mail server type
ehlo localhost
If you see the lines
250-STARTTLS 250-AUTH
among others, everything is working.
Type quit to return to the system's shell.
Postfix (last edited 2008-08-06 16:25:51 by localhost)