Latest revision as of 16:07, 13 August 2010

Scalix Wiki -> How-Tos -> Postfix integration with multiple domains

This setup has been tested on openSUSE 10.2 running Scalix 11.1. The configuration may slightly differ for other distros, but that's not part of this article.

Portions here have been taken from http://www.scalix.com/wiki/index.php?title=HowTos/Complete_Postfix (especially the sasl/ldap integration).

Let's assume your scalix is handling mail for mydomain1.com, mydomain2.com and your MTA is also backup MX for foreigndomain1.com.

It is assumed that scalix and postfix run on the same server.

installing postfix

Install postfix and delete sendmail package through YaST -> Software Management. Select ignore conflicts when YaST starts complaining that sendmail is needed by other packages (i.e. scalix).

set scalix to listen on higher port

In order to switch scalix to listenon higher port add the line

LISTEN=localhost:10026

To activate the change execute /etc/init.d/scalix restart

set up sasl authentication against scalix user base

Edit /etc/sysconfig/saslauthd to look like this

SASLAUTHD_AUTHMECH=ldap

Create /etc/saslauthd.conf

ldap_servers: ldap://localhost:389/
ldap_search_base: o=Scalix
ldap_auth_method: bind
ldap_filter: omUlAuthid=%u
ldap_version: 3
ldap_bind_dn: cn=sxadmin,o=scalix
ldap_bind_pw: password

Replace password with your sxadmin's password

Edit /etc/sasl2/smtpd.conf to look like this

pwcheck_method: saslauthd
mech_list: plain login

To activate the change execute rcsaslauthd restart

prepare your transport file

Create /etc/postfix/my_transport file

mydomain1.com                 smtp:[localhost]:10026
mydomain2.com                 smtp:[localhost]:10026

# If you relay mail for non-local domains add something like this
foreigndomain1.com            smtp:[foreigndomain1_primary_mail_server.com]

To activate the change execute postmap /etc/postfix/my_transport

prepare your domain file

Create /etc/postfix/my_relay_domains file

mydomain1.com
mydomain2.com
foreigndomain1.com

prepare your global aliases

Create /etc/postfix/my_aliases.regexp file

/^(postmaster|domains|root|abuse|webmaster|sysadmin)@/ admin@mydomain1.com

prepare file to check local recipients

Create /etc/postfix/scalix_recipients file

server_host = ldap://localhost:389
query_filter = mail=%s
bind = no
result_attribute = mail

prepare your postfix main.cf file

Edit /etc/postfix/main.cf with something like this

# Update next two lines with your real host name and domain name.
myhostname = my_host.mydomain1.com
mydomain = mydomain1.com
smtpd_banner = $myhostname ESMTP $mail_name (relaying disabled)

virtual_alias_maps = regexp:/etc/postfix/my_aliases.regexp
transport_maps = hash:/etc/postfix/my_transport
relay_recipient_maps = ldap:/etc/postfix/scalix_recipients

setgid_group = maildrop
daemon_directory = /usr/lib/postfix

relay_domains = /etc/postfix/my_relay_domains

disable_vrfy_command = yes

smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_reject_unlisted_sender = yes
smtpd_reject_unlisted_recipient = yes

smtpd_helo_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_unknown_hostname,
        permit

smtpd_sender_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        permit

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_pipelining,
        reject_unauth_destination,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        permit

smtpd_data_restrictions =
        reject_unauth_pipelining,
        permit


smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
# Update the next line with real path and real cert for your server
smtpd_tls_cert_file = /etc/ssl/your_certificate.pem
smtpd_tls_CAfile = /etc/ssl/certs/CAcert-class1.crt
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 450

To activate the change execute rcpostfix restart

At this point postfix integration with Scalix is complete.

Instead of preparing all files manually, we can simplify things with one script

This script comes handy whenever you add or remove domain in Scalix and don't want to update map files manually.

Create /etc/postfix/scalix_update-maps.sh shell script

#!/bin/sh
# This is raw code, no error checking so please verify things line by line by hand first
grep ubermanager.console.localDomains /var/opt/scalix/??/caa/scalix.res/config/ubermanager.properties|sed -e 's/ubermanager\.console\.localDomains=//g' -e 's/,/\n/g'|awk -F "/" '{print $1}' > /etc/postfix/my_relay_domains
echo /etc/postfix/my_relay_domains ... updated

cat /etc/postfix/my_relay_domains | sed -e 's/$/\tsmtp\:\[localhost\]\:10030/' > /etc/postfix/my_transport
/usr/sbin/postmap /etc/postfix/my_transport
echo /etc/postfix/my_transport ... updated

/etc/init.d/postfix reload

Now let's add SPAM and Anti-virus filters.

installing required packages

Through YaST -> Software Management install: amavisd-new, spamassassin, clamav, razor-agents and all required dependencies.

... to be continued when I get some more spare time ;) ...

As my setup is Centos 5 based I just give some advice how my setup is working together

Add forced SSL support on Port 465 for Outlook

Unfortunately there arer some mail clients that do not support the STARTTLS feature. One way to achieve SSL support would be to use stunnel as is described in another HowTo somewhere on this site for IMAP/POP3. The problem with that approach is that you create an open relay :-). So lets just use the postfix features, the only thing we have to do is to declare another service in master.cf:

 smtps     inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes

The smtpd_tls_wrappermode=yes directive does exactly what we want

Integrate policyd-weight

Policyd-weight examines incoming mail during the smtp delivery process, which means a recognized spam message will be rejected at the smtp level already. To achieve this policyd is hooked in as check_policy_service.

 smtpd_recipient_restrictions =  permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               check_policy_service inet:127.0.0.1:12525, <- ADD this line, these are the defaults
                               permit

Thats all that has to be done on the postfix side, now lets get policyd-weight running. Just download the lastest version from policyd-weight homepage, install it under /usr/sbin or /usr/local/sbin and check that it is executable.

By running policyd-weight defalts the default settings get printed. Setting only settings in the config files that difer from the default is adviced.

The default user policyd uses is "polw" so we dreate it:

 adduser polw

Here is a sample start script for the daemon:

 #! /bin/sh
 # Basic support for IRIX style chkconfig
 ###
 # chkconfig: 235 98 55
 # description: Manages the services you are controlling with the chkconfig command
 ###
 
 CONFFILE="/etc/policyd-weight.conf"
 
 case "$1" in
   start)
       echo -n "Starting policy-weight"
       #To run it as root:
       /usr/local/bin/policyd-weight -f $CONFFILE start
       echo "."
       ;;
 stop)
       echo -n "Stopping policy-weight"
       #To run it as root:
       /usr/local/bin/policyd-weight stop
       echo "."
       ;;
 
 *)
       echo "Usage: /sbin/service new-service {start|stop}"
       exit 1
 esac
 
 exit 0

Create a default config file /etc/policyd-weight.conf:

 $DEBUG=1;
 $VERBOSE=1;
 $ADD_X_HEADER= 1;

Take care that policyd-weight is started at system start up.

Integrate Amavis-New

Amavis-New is integrated as content_filter. This requests small changes in master.cf and amin.cf:

master.cf

 lmtp-amavis    unix  -       -       n       -       2       lmtp
   -o lmtp_data_done_timeout=1200
   -o lmtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o max_use=20

 127.0.0.1:12526 inet n  -       n     -       -  smtpd
   -o content_filter=
   -o smtpd_restriction_classes=
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=reject_unauth_pipelining
   -o smtpd_end_of_data_restrictions=
   -o mynetworks=127.0.0.0/8
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o smtpd_milters=
   -o local_header_rewrite_clients=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

main.cf

 content_filter=smtp-amavis:[127.0.0.1]:10024

changes to amavisd-new.conf:

 $inet_socket_port = 10024;   # listen on this local TCP port(s)
 $max_servers = 2; # must be equal to max_proc of lmtp-amavis client  in master.cf
 $notify_method  = 'smtp:[127.0.0.1]:12526';
 $forward_method = 'smtp:[127.0.0.1]:12526';