HowTos/Complete Postfix
If you hate sendmail as much as I do, you've probably been wanting to switch it out with postfix for a while.
Here's the quick and dirty on how to do that.
When you finish this howto you'll have achieved the following:
- sendmail will be gone - postfix will accept incoming mail from authenticated clients - postfix will virus-scan incoming mail - postfix will deliver incoming mail that belongs to local-users to scalix
Contents
conventions
throughout this document, $FQDN means the fully qualified domain name of your serfer
installing postfix
first you'll need to install postfix and ditch sendmail.
redhat:
rpm -ivh postfix system-switch-mail system-switch-mail, select postfix, and ok
set postfix to listen on the external ip, omsmtpd to a high port
add the line LISTEN=$FQDN:10025 to your /var/opt/scalix/*/s/sys/smtpd.cfg omoff -d0 -w smtpd; omon smtpd to activate the config
remove the line inet_interfaces = localhost from /etc/postfix/main.cf /etc/init.d/postfix reload
set up transport
you'll want postfix to check which addresses belong to scalix and deliver email there. to do this, create the file /etc/postfix/scalix-transport.cf and fill it with:
server_host = ldap://localhost:5757 query_filter = mail=%s bind = no result_attribute = scalixInstanceMailHost result_format = smtp:[%s]:10025 size_limiti = 1 domain = scalix.demo
then add the line transport_maps = ldap:/etc/postfix/scalix-transport.cf to your /etc/postfix/main.cf
now postfix has replaced sendmail. however, it needs to fully replace omsmtpd as well, so it should authenticate
setting up smtp-auth
ensure that cyrus-sasl, cyrus-sasl-md5 and cyrus-sasl-plain are installed.
we'll use saslauthd to authenticate against scalix's ldap directory. first let's set saslauthd up to do ldap by setting MECH=ldap in /etc/sysconfig/saslauthd. Change the location of saslauthd's conf file and enable caching by setting FLAGS="-O /etc/postfix/saslauthd.conf -c -m /var/spool/postfix/var/run/saslauthd" in the same file. Also set saslauthd to start at boot /sbin/chkconfig --level 345 saslauthd on
create the directory /etc/postfix/sasl2/ and edit /etc/postfix/sasl2/smtpd.conf with the following:
pwcheck_method: saslauthd mech_list: PLAIN LOGIN log_level: 5 saslauthd_path: /var/run/saslauthd/mux auxprop_plugin: ldap
now we need to configure our ldap parameters in /etc/postfix/saslauthd.conf:
ldap_servers: ldap://localhost:389/ ldap_search_base: o=Scalix ldap_auth_method: bind ldap_filter: omUlAuthid=%u ldap_version: 3 ldap_bind_dn: cn=sxadmin,o=scalix ldap_bind_pw: super_secret
now we configure postfix to use sasl in the main.cf:
smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes
and we configure postfix to require sasl:
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
now that we do authenticated smtp, we should be encrypting as well
in order to encrypt smtp communication, you'll need a certificate. if you've never generated one before, http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s1-httpd-secure-server.html should be a pretty good starting place to get a handle on how ssl is working.
if you have generated a certificate before, either use that one or do it again. come back when you have your certificate and place it in /etc/ssl. I'll call it keyfile for simplicity's sake.
configure postfix to do tls, and to require tls for authenticated sessions:
smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/key.pem smtpd_tls_cert_file = /etc/ssl/cert.pem smtpd_tls_CAfile = /etc/ssl/cacert.pem smtpd_tls_security_level = may smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
time to take on spam and virii
unfortunately, what to do about a/v on rhel is not cut and dry. i'd recommend installing amavisd-new via apt.
get apt and rpmforge from http://dag.wieers.com/rpm/packages/apt/ and http://dag.wieers.com/rpm/packages/rpmforge-release/
install both rpms, apt-get update, then apt-get install clamav clamd spamassassin razor-agents perl-Razor-Agent amavisd-new will get you a nice set of anti-spam and anti-virus tools.
start amavisd with /etc/init.d/amavisd start
add the following to the bottom of /etc/postfix/master.cf
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_milters=
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o relay_recipient_maps=
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
instruct postfix to use amavisd as a content filter by adding the following to /etc/postfix/main.cf
content_filter=smtp-amavis:[127.0.0.1]:10024
Now that postfix and amavis are playing together, it's time to make a couple of specific settings
tuning amavisd
in /etc/amavisd.conf
set your domain name $mydomain = 'scalix.demo';
uncomment the clamav virus scanner which we installed
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
