Difference between revisions of "HowTos/Complete Postfix"
| Line 22: | Line 22: | ||
rpm -ivh postfix system-switch-mail | rpm -ivh postfix system-switch-mail | ||
system-switch-mail, select postfix, and ok | system-switch-mail, select postfix, and ok | ||
| − | |||
==set postfix to listen on the external ip, omsmtpd to a high port== | ==set postfix to listen on the external ip, omsmtpd to a high port== | ||
| Line 54: | Line 53: | ||
ensure that cyrus-sasl, cyrus-sasl-md5 and cyrus-sasl-plain are installed. | ensure that cyrus-sasl, cyrus-sasl-md5 and cyrus-sasl-plain are installed. | ||
| − | we'll use saslauthd to authenticate against scalix's ldap directory. first let's set saslauthd up to do ldap by setting MECH=ldap in /etc/sysconfig/saslauthd. Change the location of saslauthd's conf file | + | we'll use saslauthd to authenticate against scalix's ldap directory. first let's set saslauthd up to do ldap by setting MECH=ldap in /etc/sysconfig/saslauthd. Change the location of saslauthd's conf file and enable caching by setting FLAGS="-O /etc/postfix/saslauthd.conf -c -m /var/spool/postfix/var/run/saslauthd" in the same file. Also set saslauthd to start at boot /sbin/chkconfig --level 345 saslauthd on |
create the directory /etc/postfix/sasl2/ and edit /etc/postfix/sasl2/smtpd.conf with the following: | create the directory /etc/postfix/sasl2/ and edit /etc/postfix/sasl2/smtpd.conf with the following: | ||
| Line 91: | Line 90: | ||
<pre> | <pre> | ||
| + | |||
smtpd_client_restrictions = | smtpd_client_restrictions = | ||
permit_mynetworks | permit_mynetworks | ||
permit_sasl_authenticated | permit_sasl_authenticated | ||
| + | reject | ||
smtpd_sender_restrictions = | smtpd_sender_restrictions = | ||
permit_mynetworks | permit_mynetworks | ||
permit_sasl_authenticated | permit_sasl_authenticated | ||
| + | reject | ||
smtpd_recipient_restrictions = | smtpd_recipient_restrictions = | ||
permit_mynetworks | permit_mynetworks | ||
permit_sasl_authenticated | permit_sasl_authenticated | ||
| + | reject_unauth_destination | ||
| + | </pre> | ||
| + | |||
| + | ==now that we do authenticated smtp, we should be encrypting as well== | ||
| + | |||
| + | in order to encrypt smtp communication, you'll need a certificate. if you've never generated one before, http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s1-httpd-secure-server.html should be a pretty good starting place to get a handle on how ssl is working. | ||
| + | |||
| + | if you have generated a certificate before, either use that one or do it again. come back when you have your certificate and place it in /etc/ssl. I'll call it keyfile for simplicity's sake. | ||
| + | |||
| + | configure postfix to do tls, and to require tls for authenticated sessions: | ||
| + | |||
| + | smtpd_use_tls = yes | ||
| + | smtpd_tls_auth_only = yes | ||
| + | smtpd_tls_key_file = /etc/ssl/key.pem | ||
| + | smtpd_tls_cert_file = /etc/ssl/cert.pem | ||
| + | smtpd_tls_CAfile = /etc/ssl/cacert.pem | ||
| + | smtpd_tls_security_level = may | ||
| + | smtpd_tls_received_header = yes | ||
| + | smtpd_tls_session_cache_timeout = 3600s | ||
| + | tls_random_source = dev:/dev/urandom | ||
| + | |||
| + | ==time to take on spam and virii== | ||
| + | |||
| + | unfortunately, what to do about a/v on rhel is not cut and dry. i'd recommend installing amavisd-new via apt. | ||
| + | |||
| + | get apt and rpmforge from http://dag.wieers.com/rpm/packages/apt/ and http://dag.wieers.com/rpm/packages/rpmforge-release/ | ||
| + | |||
| + | install both rpms, apt-get update, then apt-get install clamav clamd spamassassin razor-agents perl-Razor-Agent amavisd-new will get you a nice set of anti-spam and anti-virus tools. | ||
| + | |||
| + | start amavisd with /etc/init.d/amavisd start | ||
| + | |||
| + | add the following to the bottom of /etc/postfix/master.cf | ||
| + | |||
| + | <pre> | ||
| + | smtp-amavis unix - - n - 2 smtp | ||
| + | -o smtp_data_done_timeout=1200 | ||
| + | -o smtp_send_xforward_command=yes | ||
| + | -o disable_dns_lookups=yes | ||
| + | -o max_use=20 | ||
| + | |||
| + | 127.0.0.1:10025 inet n - n - - smtpd | ||
| + | -o content_filter= | ||
| + | -o smtpd_restriction_classes= | ||
| + | -o smtpd_delay_reject=no | ||
| + | -o smtpd_client_restrictions=permit_mynetworks,reject | ||
| + | -o smtpd_helo_restrictions= | ||
| + | -o smtpd_sender_restrictions= | ||
| + | -o smtpd_recipient_restrictions=permit_mynetworks,reject | ||
| + | -o smtpd_data_restrictions=reject_unauth_pipelining | ||
| + | -o smtpd_end_of_data_restrictions= | ||
| + | -o mynetworks=127.0.0.0/8 | ||
| + | -o smtpd_error_sleep_time=0 | ||
| + | -o smtpd_soft_error_limit=1001 | ||
| + | -o smtpd_hard_error_limit=1000 | ||
| + | -o smtpd_client_connection_count_limit=0 | ||
| + | -o smtpd_client_connection_rate_limit=0 | ||
| + | -o smtpd_milters= | ||
| + | -o local_header_rewrite_clients= | ||
| + | -o local_recipient_maps= | ||
| + | -o relay_recipient_maps= | ||
| + | -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks | ||
| + | </pre> | ||
| + | |||
| + | instruct postfix to use amavisd as a content filter by adding the following to /etc/postfix/main.cf | ||
| + | |||
| + | <pre>content_filter=smtp-amavis:[127.0.0.1]:10024</pre> | ||
| + | |||
| + | Now that postfix and amavis are playing together, it's time to make a couple of specific settings | ||
| + | |||
| + | ==tuning amavisd== | ||
| + | |||
| + | in /etc/amavisd.conf | ||
| + | |||
| + | set your domain name | ||
| + | $mydomain = 'scalix.demo'; | ||
| + | |||
| + | uncomment the clamav virus scanner which we installed | ||
| + | |||
| + | <pre> | ||
| + | ['ClamAV-clamd', | ||
| + | \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], | ||
| + | qr/\bOK$/, qr/\bFOUND$/, | ||
| + | qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | ||
</pre> | </pre> | ||
Revision as of 01:45, 2 June 2007
If you hate sendmail as much as I do, you've probably been wanting to switch it out with postfix for a while.
Here's the quick and dirty on how to do that.
When you finish this howto you'll have achieved the following:
- sendmail will be gone - postfix will accept incoming mail from authenticated clients - postfix will virus-scan incoming mail - postfix will deliver incoming mail that belongs to local-users to scalix
Contents
conventions
throughout this document, $FQDN means the fully qualified domain name of your serfer
installing postfix
first you'll need to install postfix and ditch sendmail.
redhat:
rpm -ivh postfix system-switch-mail system-switch-mail, select postfix, and ok
set postfix to listen on the external ip, omsmtpd to a high port
add the line LISTEN=$FQDN:10025 to your /var/opt/scalix/*/s/sys/smtpd.cfg omoff -d0 -w smtpd; omon smtpd to activate the config
remove the line inet_interfaces = localhost from /etc/postfix/main.cf /etc/init.d/postfix reload
set up transport
you'll want postfix to check which addresses belong to scalix and deliver email there. to do this, create the file /etc/postfix/scalix-transport.cf and fill it with:
server_host = ldap://localhost:5757 query_filter = mail=%s bind = no result_attribute = scalixInstanceMailHost result_format = smtp:[%s]:10025 size_limiti = 1 domain = scalix.demo
then add the line transport_maps = ldap:/etc/postfix/scalix-transport.cf to your /etc/postfix/main.cf
now postfix has replaced sendmail. however, it needs to fully replace omsmtpd as well, so it should authenticate
setting up smtp-auth
ensure that cyrus-sasl, cyrus-sasl-md5 and cyrus-sasl-plain are installed.
we'll use saslauthd to authenticate against scalix's ldap directory. first let's set saslauthd up to do ldap by setting MECH=ldap in /etc/sysconfig/saslauthd. Change the location of saslauthd's conf file and enable caching by setting FLAGS="-O /etc/postfix/saslauthd.conf -c -m /var/spool/postfix/var/run/saslauthd" in the same file. Also set saslauthd to start at boot /sbin/chkconfig --level 345 saslauthd on
create the directory /etc/postfix/sasl2/ and edit /etc/postfix/sasl2/smtpd.conf with the following:
pwcheck_method: saslauthd mech_list: PLAIN LOGIN log_level: 5 saslauthd_path: /var/run/saslauthd/mux auxprop_plugin: ldap
now we need to configure our ldap parameters in /etc/postfix/saslauthd.conf:
ldap_servers: ldap://localhost:389/ ldap_search_base: o=Scalix ldap_auth_method: bind ldap_filter: omUlAuthid=%u ldap_version: 3 ldap_bind_dn: cn=sxadmin,o=scalix ldap_bind_pw: super_secret
now we configure postfix to use sasl in the main.cf:
smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes
and we configure postfix to require sasl:
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
now that we do authenticated smtp, we should be encrypting as well
in order to encrypt smtp communication, you'll need a certificate. if you've never generated one before, http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s1-httpd-secure-server.html should be a pretty good starting place to get a handle on how ssl is working.
if you have generated a certificate before, either use that one or do it again. come back when you have your certificate and place it in /etc/ssl. I'll call it keyfile for simplicity's sake.
configure postfix to do tls, and to require tls for authenticated sessions:
smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/key.pem smtpd_tls_cert_file = /etc/ssl/cert.pem smtpd_tls_CAfile = /etc/ssl/cacert.pem smtpd_tls_security_level = may smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
time to take on spam and virii
unfortunately, what to do about a/v on rhel is not cut and dry. i'd recommend installing amavisd-new via apt.
get apt and rpmforge from http://dag.wieers.com/rpm/packages/apt/ and http://dag.wieers.com/rpm/packages/rpmforge-release/
install both rpms, apt-get update, then apt-get install clamav clamd spamassassin razor-agents perl-Razor-Agent amavisd-new will get you a nice set of anti-spam and anti-virus tools.
start amavisd with /etc/init.d/amavisd start
add the following to the bottom of /etc/postfix/master.cf
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_milters=
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o relay_recipient_maps=
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
instruct postfix to use amavisd as a content filter by adding the following to /etc/postfix/main.cf
content_filter=smtp-amavis:[127.0.0.1]:10024
Now that postfix and amavis are playing together, it's time to make a couple of specific settings
tuning amavisd
in /etc/amavisd.conf
set your domain name $mydomain = 'scalix.demo';
uncomment the clamav virus scanner which we installed
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
