HowTos/Complete Postfix
Whether you want to avoid sendmail's archaic configuration syntax, or take advantage of postfix's modern and secure modular architecture, there are plenty of reasons to want to integrate postfix into a Scalix system.
After reading this howto you should be prepared to set up your MTA however you want to have it.
By then you'll have achieved the following:
- sendmail will be but a memory
- postfix will accept incoming mail from internet hosts to the domain
- postfix will allow relaying by authenticated clients
- postfix will deliver incoming mail that belongs to local-users into the Scalix system
- amavisd-new will virus-scan and spam-check incoming mail
Contents
installing postfix
First you'll need to install postfix and stop sendmail. You'll probably want to leave sendmail installed to keep your package management happy - the Scalix Server RPM package depends on sendmail.
I'll go through these examples for RedHat/Fedora, and I've tested everything on Debian as well. If you use SuSE, well, I'm sorry.
RedHat:
Most of the software used in these examples comes from the RHEL 4U4 CD set. If you have a RedHat Network subscription you can just up2date install the packages rather than manually installing.
rpm -ivh postfix-2.2.10-1.RHEL4.2.i386.rpm system-switch-mail-0.5.25-3.noarch.rpm
Now that postfix is installed, switch to it by running system-switch-mail-nox. Then select postfix, and choose OK.
set postfix to listen on the external ip, omsmtpd to a high port
On a standard Scalix system omsmtpd listens to port 25 on the public IP while sendmail listens to port 25 on the loopback address. Because we want to leverage postfix's flexibility to add virus and spam scanning on incoming mail, we'll let postfix listen to both addresses, and have it deliver to omsmtpd running on a high port.
In order to switch omsmtp's listening socket add the line
LISTEN=$FQDN:10025to the file /var/opt/scalix/*/s/sys/smtpd.cfg while replacing $FQDN with your server's fully qualified domain name.
To activate that change, restart omsmtpd with the commands omoff -d0 -w smtpd; omon smtpd
To let postfix take over the newly freed port, remove the line
inet_interfaces = localhostfrom the file /etc/postfix/main.cf
To active the second change, run /etc/init.d/postfix reload
Postfix has now taken over for omsmtpd. In the next section, we'll integrate them so that postfix passes incoming mail on to omsmtpd.
set up transport
When email is delivered to the system, postfix needs to check which addresses belong to the Scalix server and deliver email to those addresses to omsmtpd. All other email, postfix can deliver directly to its destination.
We'll set postfix up to check in the LDAP directory whether users' addresses are local. Create the file /etc/postfix/scalix-transport.cf and fill it with the following information about the LDAP directory.
server_host = ldap://localhost:5757 query_filter = mail=%s bind = no result_attribute = scalixInstanceMailHost result_format = smtp:[%s]:10025 size_limiti = 1 domain = scalix.demo
Be sure to put your own primary domain in place of scalix.demo above - the rest should be correct.
Configure postfix to use that information for lookups by inserting the line
transport_maps = ldap:/etc/postfix/scalix-transport.cfat the end of your /etc/postfix/main.cf file.
Now postfix has replaced sendmail and taken part of omsmtpd's job, it needs to accept incoming email from pop3 and imap users. However, those users will need to authenticate with their Scalix passwords in order to relay mail over the system.
setting up smtp-auth
Ensure that cyrus-sasl, cyrus-sasl-md5 and cyrus-sasl-plain are installed on RedHat. On Debian execute apt-get install libsasl2-modules-ldap sasl2-bin to install the necessary authentication helpers.
We'll use saslauthd to authenticate against Scalix's LDAP directory. First let's set saslauthd up to do ldap by setting MECH=ldap in the /etc/sysconfig/saslauthd file. Change the location of saslauthd's conf file and enable caching by setting FLAGS="-O /etc/postfix/saslauthd.conf -c" in the same file. Also set saslauthd to start at boot with /sbin/chkconfig --level 345 saslauthd on
Create the directory /etc/postfix/sasl/ and the file /etc/postfix/sasl2/smtpd.conf which you'll fill with the following:
pwcheck_method: saslauthd mech_list: PLAIN LOGIN log_level: 5 saslauthd_path: /var/run/saslauthd/mux auxprop_plugin: ldap
Now we need to tell sasl how to talk to the LDAP directory in /etc/postfix/saslauthd.conf:
ldap_servers: ldap://localhost:389/ ldap_search_base: o=Scalix ldap_auth_method: bind ldap_filter: omUlAuthid=%u ldap_version: 3 ldap_bind_dn: cn=sxadmin,o=scalix ldap_bind_pw: super_secret
Don't forget to put your real sxadmin password as bind_pw.
Now that sasl is set up, we need to configure postfix to use it. The following changes to the /etc/postfix/main.cf will cause postfix to use sasl to offer authenticated SMTP.
smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes
To require authentication in order to relay email over the system set the following rules, also in the /etc/postfix/main.cf file.
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
Just doing authenticated smtp isn't enough in the modern internet, we should protect our passwords with encryption as well.
configure tls on postfix
In order to encrypt SMTP (or any other) communication, you'll need a certificate. if you've never generated one before, this should be a pretty good starting place to get a handle on how ssl works, generate your first certificate signing request and self-sign it.
If you have generated a certificate before, either use that one or do it again. Come back when you have your certificate and place the files in /etc/ssl.
The following will configure postfix offer TLS to any other server it talks to while making TLS a requirement for authenticated sessions.
smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/key.pem smtpd_tls_cert_file = /etc/ssl/cert.pem smtpd_tls_CAfile = /etc/ssl/cacert.pem smtpd_tls_security_level = may smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Now that the server is ready for the rigors of the internet, let's shore up our defenses by adding some malware protection.
protect against spam and virii
Unfortunately, RedHat doesn't package much in the way of defensive software in RHEL4. I'd recommend installing amavisd-new from rpmforge via apt. Amavisd is a wrapper which encompasses best of breed anti-spam like spam assassin as well as anti-virus like ClamAV. If you have enterprise anti-virus licenses you can almost certainly integrate that product into Amavis (assuming it runs on Linux) to strengthen your defenses against malware.
Download apt and rpmforge from Dag's APT and RPM-Forge sites.
Install both rpms, then run apt-get update to get a current copy of the package lists.
Once everything is synchronized, run apt-get install clamav clamd spamassassin razor-agents perl-Razor-Agent amavisd-new to get a nice set of anti-spam and anti-virus tools.
Start amavisd with /etc/init.d/amavisd start, start spamassassin with /etc/init.d/spamassassin start and start clamav with /etc/init.d/clamd start to get them all ready.
Tell postfix about the newly installed services by adding the following to the bottom of /etc/postfix/master.cf
smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o smtpd_milters= -o local_header_rewrite_clients= -o local_recipient_maps= -o relay_recipient_maps= -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Instruct postfix to use amavisd as a content filter by adding the following to the bottom of /etc/postfix/main.cf
content_filter=smtp-amavis:[127.0.0.1]:10024
Now postfix will send incoming mail to amavis to have it checked for virii and spam, and it's time to make a couple of specific settings.
tuning amavisd
in /etc/amavisd.conf
set your domain name
$mydomain = 'scalix.demo';
uncomment the clamav virus scanner to activate it
['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
edit /etc/clamd.conf to include:
AllowSupplementaryGroups yes LocalSocket /var/run/clamav/clamd
hardening postfix
In order to make your mail server more resilient to attack you may want to consider adding the security configuration to postfix.
Only accept email from well behaved MTA's by replacing the configuration provided above with the following:
smtpd_helo_required = yes disable_vrfy_command = yes smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_maps_rbl reject_unknown_client smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_relay_domains smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated reject_invalid_hostname reject_unknown_sender_domain reject_non_fqdn_sender reject_maps_rbl reject_unauth_destination
This is just a start, take a look at this and this to get started fighting spam with postfix!
test your setup
Send yourself some email, and look at the full headers. You should see lines likeX-Virus-Scanned: amavisd-new at scalix.demoin the full email headers.
You can also watch the mail log with tail -n 50 -f /var/log/maillog or tail -n 50 -f /var/log/mail.log depending on your system setup.
You'll see your test emails go by looking something like the following
Jun 2 07:20:09 rightbrain postfix/qmgr[9701]: 0AA6816860D: from=<user1@scalix.demo>, size=920, nrcpt=2 (queue active) Jun 2 07:20:09 rightbrain amavis[9768]: (09768-01) Passed CLEAN, LOCAL [10.211.55.2] [10.211.55.2] <user1@scalix.demo> -> <user1@scalix.demo>,<user2@scalix.demo>, Message-ID: <4660D7D0.5080706@scalix.demo>, mail_id: SQBCQ+o1haQX, Hits: 1.459, queued_as: 0AA6816860D, 23958 ms Jun 2 07:20:09 rightbrain postfix/smtp[9887]: < 127.0.0.1[127.0.0.1]: 250 2.6.0 Ok, id=09768-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as 0AA6816860D Jun 2 07:20:09 rightbrain postfix/smtp[9887]: B0E0D16860A: to=<user1@scalix.demo>, relay=127.0.0.1[127.0.0.1], delay=27, status=sent (250 2.6.0 Ok, id=09768-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as 0AA6816860D) Jun 2 07:20:15 rightbrain postfix/smtp[9905]: 0AA6816860D: to=<user1@scalix.demo>, relay=rightbrain.scalix.demo[10.211.55.9], delay=6, status=sent (250 Ok)
Enjoy your spiffy mail server!