HowTos/Postfix multiple domains
Scalix Wiki -> How-Tos -> Postfix integration with multiple domains
This setup has been tested on openSUSE 10.2 running Scalix 11.1. The configuration may slightly differ for other distros, but that's not part of this article. Also you need to know how to make your mac faster
Portions here have been taken from http://www.scalix.com/wiki/index.php?title=HowTos/Complete_Postfix (especially the sasl/ldap integration).
Let's assume your scalix is handling mail for mydomain1.com, mydomain2.com and your MTA is also backup MX for foreigndomain1.com.
It is assumed that scalix and postfix run on the same server.
Contents
- 1 installing postfix
- 2 set scalix to listen on higher port
- 3 set up sasl authentication against scalix user base
- 4 prepare your transport file
- 5 prepare your domain file
- 6 prepare your global aliases
- 7 prepare file to check local recipients
- 8 prepare your postfix main.cf file
- 9 Instead of preparing all files manually, we can simplify things with one script
- 10 Now let's add SPAM and Anti-virus filters.
- 11 installing required packages
- 12 Add forced SSL support on Port 465 for Outlook
- 13 Integrate policyd-weight
- 14 Integrate Amavis-New
installing postfix
Install postfix and delete sendmail package through YaST -> Software Management. Select ignore conflicts when YaST starts complaining that sendmail is needed by other packages (i.e. scalix).
set scalix to listen on higher port
In order to switch scalix to listenon higher port add the line
LISTEN=localhost:10026to the file /var/opt/scalix/*/s/sys/smtpd.cfg
To activate the change execute /etc/init.d/scalix restart
set up sasl authentication against scalix user base
Edit /etc/sysconfig/saslauthd to look like this
SASLAUTHD_AUTHMECH=ldap
Create /etc/saslauthd.conf
ldap_servers: ldap://localhost:389/ ldap_search_base: o=Scalix ldap_auth_method: bind ldap_filter: omUlAuthid=%u ldap_version: 3 ldap_bind_dn: cn=sxadmin,o=scalix ldap_bind_pw: password
Replace password with your sxadmin's password
Edit /etc/sasl2/smtpd.conf to look like this
pwcheck_method: saslauthd mech_list: plain login
To activate the change execute rcsaslauthd restart
prepare your transport file
Create /etc/postfix/my_transport file
mydomain1.com smtp:[localhost]:10026 mydomain2.com smtp:[localhost]:10026 # If you relay mail for non-local domains add something like this foreigndomain1.com smtp:[foreigndomain1_primary_mail_server.com]
To activate the change execute postmap /etc/postfix/my_transport
prepare your domain file
Create /etc/postfix/my_relay_domains file
mydomain1.com mydomain2.com foreigndomain1.com
prepare your global aliases
Create /etc/postfix/my_aliases.regexp file
/^(postmaster|domains|root|abuse|webmaster|sysadmin)@/ admin@mydomain1.com
prepare file to check local recipients
Create /etc/postfix/scalix_recipients file
server_host = ldap://localhost:389 query_filter = mail=%s bind = no result_attribute = mail
prepare your postfix main.cf file
Edit /etc/postfix/main.cf with something like this
# Update next two lines with your real host name and domain name. myhostname = my_host.mydomain1.com mydomain = mydomain1.com smtpd_banner = $myhostname ESMTP $mail_name (relaying disabled) virtual_alias_maps = regexp:/etc/postfix/my_aliases.regexp transport_maps = hash:/etc/postfix/my_transport relay_recipient_maps = ldap:/etc/postfix/scalix_recipients setgid_group = maildrop daemon_directory = /usr/lib/postfix relay_domains = /etc/postfix/my_relay_domains disable_vrfy_command = yes smtpd_sasl_auth_enable = yes smtpd_helo_required = yes smtpd_delay_reject = yes smtpd_reject_unlisted_sender = yes smtpd_reject_unlisted_recipient = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_hostname, permit smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_security_level = may smtpd_tls_received_header = yes # Update the next line with real path and real cert for your server smtpd_tls_cert_file = /etc/ssl/your_certificate.pem smtpd_tls_CAfile = /etc/ssl/certs/CAcert-class1.crt smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 450
To activate the change execute rcpostfix restart
At this point postfix integration with Scalix is complete.
Instead of preparing all files manually, we can simplify things with one script
This script comes handy whenever you add or remove domain in Scalix and don't want to update map files manually.
Create /etc/postfix/scalix_update-maps.sh shell script
#!/bin/sh # This is raw code, no error checking so please verify things line by line by hand first grep ubermanager.console.localDomains /var/opt/scalix/??/caa/scalix.res/config/ubermanager.properties|sed -e 's/ubermanager\.console\.localDomains=//g' -e 's/,/\n/g'|awk -F "/" '{print $1}' > /etc/postfix/my_relay_domains echo /etc/postfix/my_relay_domains ... updated cat /etc/postfix/my_relay_domains | sed -e 's/$/\tsmtp\:\[localhost\]\:10030/' > /etc/postfix/my_transport /usr/sbin/postmap /etc/postfix/my_transport echo /etc/postfix/my_transport ... updated /etc/init.d/postfix reload
Now let's add SPAM and Anti-virus filters.
installing required packages
Through YaST -> Software Management install: amavisd-new, spamassassin, clamav, razor-agents and all required dependencies.
... to be continued when I get some more spare time ;) ...
As my setup is Centos 5 based I just give some advice how my setup is working together
Add forced SSL support on Port 465 for Outlook
Unfortunately there arer some mail clients that do not support the STARTTLS feature. One way to achieve SSL support would be to use stunnel as is described in another HowTo somewhere on this site for IMAP/POP3. The problem with that approach is that you create an open relay :-). So lets just use the postfix features, the only thing we have to do is to declare another service in master.cf:
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
The smtpd_tls_wrappermode=yes directive does exactly what we want
Integrate policyd-weight
Policyd-weight examines incoming mail during the smtp delivery process, which means a recognized spam message will be rejected at the smtp level already. To achieve this policyd is hooked in as check_policy_service.
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:12525, <- ADD this line, these are the defaults permit
Thats all that has to be done on the postfix side, now lets get policyd-weight running. Just download the lastest version from policyd-weight homepage, install it under /usr/sbin or /usr/local/sbin and check that it is executable.
By running policyd-weight defalts the default settings get printed. Setting only settings in the config files that difer from the default is adviced.
The default user policyd uses is "polw" so we dreate it:
adduser polw
Here is a sample start script for the daemon:
#! /bin/sh # Basic support for IRIX style chkconfig ### # chkconfig: 235 98 55 # description: Manages the services you are controlling with the chkconfig command ### CONFFILE="/etc/policyd-weight.conf" case "$1" in start) echo -n "Starting policy-weight" #To run it as root: /usr/local/bin/policyd-weight -f $CONFFILE start echo "." ;; stop) echo -n "Stopping policy-weight" #To run it as root: /usr/local/bin/policyd-weight stop echo "." ;; *) echo "Usage: /sbin/service new-service {start|stop}" exit 1 esac exit 0
Create a default config file /etc/policyd-weight.conf:
$DEBUG=1; $VERBOSE=1; $ADD_X_HEADER= 1;
Take care that policyd-weight is started at system start up.
Integrate Amavis-New
Amavis-New is integrated as content_filter. This requests small changes in master.cf and amin.cf:
master.cf
lmtp-amavis unix - - n - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20
127.0.0.1:12526 inet n - n - - smtpd -o content_filter= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o smtpd_milters= -o local_header_rewrite_clients= -o local_recipient_maps= -o relay_recipient_maps= -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
main.cf
content_filter=smtp-amavis:[127.0.0.1]:10024
changes to amavisd-new.conf:
$inet_socket_port = 10024; # listen on this local TCP port(s) $max_servers = 2; # must be equal to max_proc of lmtp-amavis client in master.cf $notify_method = 'smtp:[127.0.0.1]:12526'; $forward_method = 'smtp:[127.0.0.1]:12526';