User Tools

Site Tools


build:postfix

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
build:postfix [2007/08/05 19:46]
24.217.108.17
build:postfix [2008/07/22 13:51] (current)
151.145.245.20
Line 4: Line 4:
  
 The SLUUG sysadmins were divided on whether to use Postfix or Sendmail. Most of the admins more familiar with Linux prefer Postfix; most of the admins used to older UNIX systems would have preferred to use Sendmail. The 2 factors that slightly tipped the scales toward Postfix were the available documentation on setting up many of the features we want, and the preference of the people who installed it. The SLUUG sysadmins were divided on whether to use Postfix or Sendmail. Most of the admins more familiar with Linux prefer Postfix; most of the admins used to older UNIX systems would have preferred to use Sendmail. The 2 factors that slightly tipped the scales toward Postfix were the available documentation on setting up many of the features we want, and the preference of the people who installed it.
 +
  
 ===== Installation ===== ===== Installation =====
 +The default MTA in Debian is EXIM. In the default install the log rotation is already configured in /​etc/​cron.daily for EXIM, so remove the script
 +<code rootshell>​
 +rm /​etc/​cron.daily/​exim4-base
 +</​code>​
 +
 +Do the [[Firewall|"​Firewall"​ procedure]] first, if not already done, since you need several ports open for testing mail.
  
 Install the package: Install the package:
Line 12: Line 19:
 </​code>​ </​code>​
  
-You will (probablybe presented with some instructions. Hit ''​OK''​ after reading the instructions,​ then select ''​No configuration'',​ as we'll be configuring manually.+This will install one postfix package, and remove four exim (the default Debian MTApackages.
  
-===== Configuration =====+You will (probably) be presented with some warnings and instructions in text menus. Hit ''​OK''​ after reading the instructions,​ then select ''​No configuration'',​ as we'll be configuring manually. ​ You will need to use cursor and tab keys to maneuver in the menus.
  
-All Postfix configuration options are detailed in the [[http://​www.postfix.org/​postconf.5.html | postconf(5) man page]].+===== Configuration before adding other support packages ===== 
 + 
 +All Postfix configuration options are detailed in the [[http://​www.postfix.org/​postconf.5.html|postconf(5) man page]].
  
 The postconf utility won't create a config file if it doesn'​t exist, so create it manually: The postconf utility won't create a config file if it doesn'​t exist, so create it manually:
Line 22: Line 31:
 touch /​etc/​postfix/​main.cf touch /​etc/​postfix/​main.cf
 </​code>​ </​code>​
 +
  
  
Line 33: Line 43:
  
 Tell the SMTP server what domains to accept email for. Do NOT list any VIRTUAL domains here. The distinguishing feature of non-virtual domains (the ones listed here) is that any real user ID that exists on the box (or is listed in the aliases file) is a valid address in the domain. The valid addresses in a virtual domain have to be explicitly listed in the virtual alias map. Tell the SMTP server what domains to accept email for. Do NOT list any VIRTUAL domains here. The distinguishing feature of non-virtual domains (the ones listed here) is that any real user ID that exists on the box (or is listed in the aliases file) is a valid address in the domain. The valid addresses in a virtual domain have to be explicitly listed in the virtual alias map.
 +The list of domains in the example below is only for the main mail server. ​ For other systems, see the next example. ​ You will probably have to unwrap the following command to be one line.
 <code rootshell>​ <code rootshell>​
-postconf -e '​mydestination=test.sluug.org, ​$mydomain, $myhostname,​ localhost, woodlandchows.com,​ \ +postconf -e '​mydestination=$mydomain,​ $myhostname, ​
-  ​cab3.dyndns.org, ​buchek.com, craigbuchek.com,​ boochtek.com'​+localhost, woodlandchows.com,​ \ 
 +buchek.com, craigbuchek.com,​ boochtek.com, \ 
 +www.sluug.org,​ mail.sluug.org'​ 
 +</​code>​ 
 + 
 +For secondary (not the main mail server) systems, don't list all those domains shown above. ​ Only list "​localhost"​ and specific domains this system will accept mail for.  This might include "​$myhostname,",​ but never "​$mydomain,"​. ​ For example, use this instead: 
 +<code rootshell>​ 
 +postconf -e '​mydestination=localhost.$mydomain,​ localhost, budlight-mailtest1.sluug.org'
 </​code>​ </​code>​
  
Line 41: Line 59:
 <code rootshell>​ <code rootshell>​
 postconf -e '​myorigin=$mydomain'​ postconf -e '​myorigin=$mydomain'​
 +</​code>​
 +
 +For secondary (not the main mail server) systems, you might want to set ''​myorigin''​ to "''​$myhostname''"​ instead of "''​$mydomain''",​ but at the time of this writing, that is not what we did on budlight. ​ Setting to "''​$mydomain''"​ means that local mail, such as output from batch jobs, will be forwarded to the main mail server instead of being kept local, including mail for root, unless addresses to an address listed in ''​mydestination''​. ​ Setting to "''​$myhostname''"​ will impact all the return addresses on mail, which can be a problem for users of mailing lists.
 +
 +For secondary (not the main mail server) systems, we want all outgoing to be sent from this system to be routed through the main mail server. ​ So we tell this system to use a smarthost with:
 +<code rootshell>​
 +postconf -e '​relayhost=mail.sluug.org'​
 </​code>​ </​code>​
  
Line 46: Line 71:
 <code rootshell>​ <code rootshell>​
 postconf -e '​mynetworks=127.0.0.0/​8,​ 206.196.99.160/​28,​ 128.252.19.0/​27,​ hash:/​etc/​postfix/​mynetworks'​ postconf -e '​mynetworks=127.0.0.0/​8,​ 206.196.99.160/​28,​ 128.252.19.0/​27,​ hash:/​etc/​postfix/​mynetworks'​
 +</​code>​
 +
 +Assuming ''/​etc/​postfix/​mynetworks''​ doesn'​t already exist, create it,
 +add any desired adddresses to it, and generate the binary hash file from it:
 +<code rootshell>​
 +cat >> /​etc/​postfix/​mynetworks << '​EOD'​
 +# These IPs are allowed to relay through our SMTP servers.
 +# This list was originally taken from Dark.
 +#   We do not have documentation on who needs these, and if they are still in use.
 +# NOTE: The 2nd field is not used, but you'll get warnings from postmap if you leave it out.
 +EOD 
 +vi      /​etc/​postfix/​mynetworks
 +postmap /​etc/​postfix/​mynetworks
 </​code>​ </​code>​
  
Line 63: Line 101:
 postconf -e '​message_size_limit=50000000'​ postconf -e '​message_size_limit=50000000'​
 postconf -e '​mailbox_size_limit=1000000000'​ postconf -e '​mailbox_size_limit=1000000000'​
 +</​code>​
 +
 +By default, Postfix will keep trying to send an email for 5 days, before it gives up and tells you that it had a problem. That seems rather long, so we reduce it to 1 day:
 +<code rootshell>​
 +postconf -e '​maximal_queue_lifetime=1d'​
 +postconf -e '​bounce_queue_lifetime=1d'​
 </​code>​ </​code>​
  
Line 75: Line 119:
 </​code>​ </​code>​
  
-The [[http://​www.list.org/​mailman-install/​node12.html | Mailman documentation]] recommends the following setting. It ensures that emails to unknown local addresses will generate a permanent error, not a transient error in which the client will keep re-trying.+The [[http://​www.list.org/​mailman-install/​node12.html|Mailman documentation]] recommends the following setting. It ensures that emails to unknown local addresses will generate a permanent error, not a transient error in which the client will keep re-trying.
 <code rootshell>​ <code rootshell>​
 postconf -e '​unknown_local_recipient_reject_code=550'​ postconf -e '​unknown_local_recipient_reject_code=550'​
Line 83: Line 127:
  
 This section configures some settings that will help reject spam due to the behavior of the spam programs. This does not include spam //​filtering//,​ which rejects spam due to the content (and headers) of the spam messages. That will be covered by a separate program, and the configuration to connect to that program will be covered in a separate section. This section configures some settings that will help reject spam due to the behavior of the spam programs. This does not include spam //​filtering//,​ which rejects spam due to the content (and headers) of the spam messages. That will be covered by a separate program, and the configuration to connect to that program will be covered in a separate section.
 +
 +=== Initial options ===
  
 First, don't tell the SMTP clients that we're rejecting their message until they'​ve specified the sender and the recipient. This is required by some broken clients, but has several other advantages. First, it wastes more of the spammer'​s time and resources. Second, it allows us to log the sender and recipient info of all attempted messages. First, don't tell the SMTP clients that we're rejecting their message until they'​ve specified the sender and the recipient. This is required by some broken clients, but has several other advantages. First, it wastes more of the spammer'​s time and resources. Second, it allows us to log the sender and recipient info of all attempted messages.
Line 94: Line 140:
 </​code>​ </​code>​
  
-The next thing we want to do is check the contents of the HELO string. If the connection is from one of our trusted networkswe don't need to perform the check. Next we look at the ''/​etc/​postfix/​helo_access''​ file, and perform the action specified in that file for any host names that match a host name in the file. If the host name provided in the HELO command ​is not a valid FQDN, we reject the connection. If the client tries to use SMTP command pipelining without asking, we reject the connection. Otherwise we permit the connection.+Turn off the VRFY commandso spammers cannot verify whether an address ​is valid or not.
 <code rootshell>​ <code rootshell>​
-postconf -e "​smtpd_helo_restrictions=permit_mynetworks,​ \ +postconf -e '​disable_vrfy_command=yes'
-  check_helo_access hash:/​etc/​postfix/​helo_access,​ \ +
-  reject_non_fqdn_hostname,​ reject_invalid_hostname,​ \ +
-  reject_unauth_pipelining,​ permit"​+
 </​code>​ </​code>​
  
-Now we need to create ​the ''/​etc/​postfix/​helo_access''​ file. We want to reject anyone who sends us our own IP address or host name in the HELO string. Add all your possible IP addresses and host names, so the file looks something like this:+=== Tests to the value of the SMTP HELO command === 
 + 
 +The next thing we want to do is check the contents of the HELO string. If the connection is from one of our trusted networks, we don'​t ​need to perform the check. Next we look at the ''/​etc/​postfix/​helo_access''​ file, and perform the action specified in that file for any host names that match a host name in the file. If the host name provided in the HELO command is not a valid FQDN, we reject the connection. If the client tries to use SMTP command pipelining without asking, we reject the connection. Otherwise we permit the connection. 
 + 
 +Create ​the ''/​etc/​postfix/​helo_access''​ file. We want to reject anyone who sends us our own IP address or host name in the HELO string. Add all your possible IP addresses and host names, so the file looks something like this:
 <code configfile>​ <code configfile>​
 # We want to reject anyone who pretends that they have our address. # We want to reject anyone who pretends that they have our address.
Line 117: Line 164:
 postmap /​etc/​postfix/​helo_access postmap /​etc/​postfix/​helo_access
 </​code>​ </​code>​
 +
 +Update the configuration file to use the database, and other desired options.
 +
 +<code rootshell>​
 +postconf -e "​smtpd_helo_restrictions=permit_mynetworks,​ \
 +  check_helo_access hash:/​etc/​postfix/​helo_access,​ \
 +  reject_non_fqdn_hostname,​ reject_invalid_hostname,​ \
 +  reject_unauth_pipelining,​ permit"​
 +</​code>​
 +
 +=== Tests to the value of the SMTP MAIL FROM command ===
  
 Next, we want to take a look at the sender'​s address, unless the sender is on the local network, or they'​ve authenticated themselves via SASL. We want to reject any sender address that's not using a FQDN. (I.e. we reject things like ''​bill@nonfqdnhostname''​ and ''​bill''​.) And we'll also reject the message if the sender'​s domain does not have an A or MX record in DNS. Next, we want to take a look at the sender'​s address, unless the sender is on the local network, or they'​ve authenticated themselves via SASL. We want to reject any sender address that's not using a FQDN. (I.e. we reject things like ''​bill@nonfqdnhostname''​ and ''​bill''​.) And we'll also reject the message if the sender'​s domain does not have an A or MX record in DNS.
 +
 +Create the access database source file, ''/​etc/​postfix/​sender_access''​ using your favorite text editor.
 +Add in comments and desired entries in the form below. ​ Check any existing systems for what entries we are currently using, or just copy from another of our Debian systems.
 +
 +<​code>​
 +#​*******************************************************************************
 +#
 +# Database to give you the ability to allow or refuse to accept mail
 +# based on the MAIL FROM command.
 +#
 +# This is used with the smtpd_sender_restrictions option.
 +#
 +# Rebuild the database with:  postmap /​etc/​postfix/​sender_access
 +#
 +#​*******************************************************************************
 +
 +# We were spammed by zorpia on 19 Oct 2007
 +zorpia.com ​     550 "​Disallowed due to prior spam history"​
 +</​code>​
 +
 +Generate the database from the source file:
 +
 <code rootshell>​ <code rootshell>​
-postconf -e "​smtpd_sender_restrictions=permit_mynetworks,​ \+postmap /​etc/​postfix/​sender_access 
 +</​code>​ 
 + 
 +Update the configuration file to use the database, and other desired options. 
 + 
 +<code rootshell>​ 
 +postconf -e "​smtpd_sender_restrictions=hash:/​etc/​postfix/​sender_access,​ \ 
 +  ​permit_mynetworks,​ \
   permit_sasl_authenticated,​ reject_non_fqdn_sender,​ \   permit_sasl_authenticated,​ reject_non_fqdn_sender,​ \
   reject_unknown_sender_domain,​ permit"​   reject_unknown_sender_domain,​ permit"​
 </​code>​ </​code>​
  
-NOTE: See also the Greylisting section below. It does even more thorough spam avoidance, but it's in a separate section because it requires a separate program.+=== Greylisting === 
 +NOTE: See also the [[#​greylisting|Greylisting section]] below. It does even more thorough spam avoidance, but it's in a separate section because it requires a separate program.
  
 ==== Delivery ==== ==== Delivery ====
  
-Whatever we do, we need to make sure that our IMAP server knows where to find the files. By default, Courier IMAP looks in ''​Maildir''​ in the user's home directory. The Postfix default is to store incoming messages in mbox format in /​var/​spool/​mail,​ with a file for each addressee.+Whatever we do, we need to make sure that our [[IMAP|imap]] ​server knows where to find the files. By default, Courier IMAP looks in ''​Maildir''​ in the user's home directory. The Postfix default is to store incoming messages in mbox format in /​var/​spool/​mail,​ with a file for each addressee.
  
 We start out with the simplest delivery method, storing email messages in maildir format in the user's home directory: We start out with the simplest delivery method, storing email messages in maildir format in the user's home directory:
Line 136: Line 224:
 </​code>​ </​code>​
  
-TODO. Consider more featureful delivery.+Now we need some additional configuration because the ''​$MAIL''​ environment variable is still set to /​var/​spool/​mail when each user logs on, so mail clients like ''​mutt''​ will look in the wrong place. ​ The difficult to find change is made in two configurations files in the ''/​etc/​pam.d''​ directory. 
 + 
 +Edit the "''​login''"​ file to change the "''​pam_mail.so''"​ line to add 
 +"''​ noenv dir=~/​Maildir''"​ to the end so it looks like: 
 +<code rootshell>​ 
 +session ​   optional ​  ​pam_mail.so standard noenv dir=~/​Maildir 
 +</​code>​ 
 +Edit the "''​ssh''"​ file to change the "''​pam_mail.so''"​ line to replace "''​noenv''"​ with 
 +"''​dir=~/​Maildir''"​ so it looks like: 
 +<code rootshell>​ 
 +session ​   optional ​    ​pam_mail.so standard dir=~/​Maildir # [1] 
 +</​code>​ 
 + 
 +=== TODO. Consider more featureful delivery. ​===
  
 Email delivery involves passing a message out of Postfix'​s queues and to a user's inbox. There are 3 ways to configure email delivery: ''​home_mailbox'',​ ''​mail_spool_directory'',​ ''​mailbox_command'',​ or ''​mailbox_transport''​. Email delivery involves passing a message out of Postfix'​s queues and to a user's inbox. There are 3 ways to configure email delivery: ''​home_mailbox'',​ ''​mail_spool_directory'',​ ''​mailbox_command'',​ or ''​mailbox_transport''​.
Line 143: Line 244:
  
 There are quite a few local delivery agent programs we could choose from: There are quite a few local delivery agent programs we could choose from:
-  * [[http://​www.courier-mta.org/​maildrop/​ | maildrop]] +  * [[http://​www.courier-mta.org/​maildrop/​|maildrop]] 
-  * [[http://​www.procmail.org/​ | procmail]] (not updated since 2001) +  * [[http://​www.procmail.org/​|procmail]] (not updated since 2001) 
-  * [[http://​deliver.sourceforge.net/​ | deliver]] (by Chip Salzenberg -- last modifed ​in 2000, no online docs) +  * [[http://​deliver.sourceforge.net/​|deliver]] (by Chip Salzenberg -- last modified ​in 2000, no online docs) 
-  * [[http://​wiki.dovecot.org/​moin.cgi/​LDA | deliver]] (from dovecot -- quota, indexes, sieve support) +  * [[http://​wiki.dovecot.org/​moin.cgi/​LDA|deliver]] (from dovecot -- quota, indexes, sieve support) 
-  * [[http://​www.gnu.org/​software/​mailutils/​ | GNU mailutils]]'​ sieve (poorly documented) +  * [[http://​www.gnu.org/​software/​mailutils/​|GNU mailutils]]'​ sieve (poorly documented) 
-  * [[http://​www.cpan.org/​authors/​id/​R/​RA/​RAM/​mailagent-3.0.73.readme | mailagent]] (not updated since 2001)+  * [[http://​www.cpan.org/​authors/​id/​R/​RA/​RAM/​mailagent-3.0.73.readme|mailagent]] (not updated since 2001)
   * Mail::Audit   * Mail::Audit
  
Line 159: Line 260:
         you    /​path/​to/​maildrop -d ${USER}         you    /​path/​to/​maildrop -d ${USER}
  
-==== Relaying ​====+===== Startup Postfix =====
  
-We need to allow our users to relay through our SMTP server. If all the users had static IP addresseswe could just list them in ''​mynetworks''​. Unfortunately,​ we have some users who have dynamic IP addresses. There are 3 ways to allow these users to send emails out through our server: +First check to ensure that the configuration files are valid(If it returns without printing anythingthen the configuration is valid.) 
-  * Use the SASL and LOGIN extensions to SMTP+<code rootshell>​ 
-  * Record the IP address of authenticated POP users, have Postfix use that list. +postfix check 
-  * Allow any sluug.org email address to send emails out.+</​code>​
  
-The first option is the "Right Thing" to do, but is hard to set up on the client and the server. The  second option is moderately easy to set up on the server, and is simple for the client to do. The third option opens us up to spammers, so it'​s ​out of the question.+Make sure that there'​s ​an ''/​etc/​aliases.db''​ file: 
 +<code rootshell>​ 
 +newaliases 
 +</​code>​
  
-We also have a list of static IPs that we allow to replay through us. These are located in ''​/​etc/​postfix/​mynetworks''​. This list of IPs was taken from Dark; we do not have any documentation on who was using them. After a few months of production use, we'll check the logs to see which are still being used, and delete the rest. We'll also try to convert all the users to authenticate via SASL/TLS instead of hard-coding their IPs.+Start the Postfix daemons: 
 +<code rootshell>​ 
 +/etc/init.d/​postfix ​start 
 +</code>
  
 +To make sure the daemons are running, you can check the process table:
 +<code bash>
 +ps auxw | grep postfix
 +</​code>​
  
 +This should show the 3 daemon processes. It should look something like this:
 +<​code>​
 +root     ​14126 ​ 0.0  0.2  3656 1328 ? Ss 22:04 0:00 /​usr/​lib/​postfix/​master
 +postfix ​ 14129  0.0  0.2  2964 1096 ? S  22:04 0:00 pickup -l -t fifo -u -c
 +postfix ​ 14130  0.0  0.2  2996 1116 ? S  22:04 0:00 qmgr -l -t fifo -u -c
 +</​code>​
  
 +===== Testing before adding other support packages =====
  
 +There are several things to test in the email system architecture.
  
 +<​html><​!-- Have to do the HTML by hand, because DokuWiki doesn'​t support block elements embedded in list items. --></​html>​
 +<​html><​ol></​html>​
  
 +<​html><​li class="​level1"><​div class="​li"></​html>​
 +Make sure Postfix'​ SMTP daemon is listening:
 +<code bash>
 +netstat -nlp | grep -E ':​25|Recv-Q'​
 +</​code>​
 +This should show the Postfix ''​master''​ process listening on port 25. In our configuration,​ it's listening on local address 0.0.0.0, which means all interfaces.
 +<​html></​div></​li></​html>​
  
 +<​html><​li class="​level1"><​div class="​li"></​html>​
 +Test connecting to port 25 on the loopback interface:
 +<code bash>
 +telnet localhost 25
 +</​code>​
 +Make sure the banner looks OK, then type ''​quit''​ to close the connection.
 +<​html></​div></​li></​html>​
  
 +<​html><​li class="​level1"><​div class="​li"></​html>​
 +Test connecting to port 25 on the loopback interface:
 +<​code>​
 +telnet localhost 25 <<EOF
 +helo hostname
 +mail from: <​xyz@x.y>​
 +rcpt to: root@sluug.org
 +data
 +Subject: Test outgoing mail
 +Hello.
 +.
 +quit
 +EOF
 +</​code>​
 +Make sure it's delivered. Check ''/​var/​log/​mail.log''​ and ''/​root/​Maildir/​new/''​. (Also check /​etc/​aliases to see if mail for root gets delivered somewhere else.) Each message will be in a separate file. Since this is the first message, there should only be one file in the directory. Look at the content of the file to check that the headers and content look right. (If we weren'​t using Maildir, the default delivery would be a file in ''/​var/​spool/​mail''​.)
 +<​html></​div></​li></​html>​
  
 +<​html><​li class="​level1"><​div class="​li"></​html>​
 +Test that you can send an email from an outside address to a local address. ​ Caution, if you have already enabled [[#​greylisting|Greylisting]],​ the message should be delayed.
 +<​html></​div></​li></​html>​
  
 +<​html><​li class="​level1"><​div class="​li"></​html>​
 +Test that you can send email out to the Internet:
 +<​code>​
 +sendmail your_email@address.com <<EOF
 +Subject: Testing outbound email.
  
 +This is a test.
 +EOF
 +</​code>​
 +Make sure it's delivered. Check ''/​var/​log/​mail.log''​
 +<​html></​div></​li></​html>​
  
  
 +<​html></​ol></​html>​
  
  
 +  - Test that Postfix'​ SMTP daemon understands the STARTTLS and AUTH extensions.
 +  - Test that the SMTP banner is correct. (Meets RFC requirements,​ but doesn'​t tell too much about us.)
 +  - Test that the MX records point to the correct system.
 +  - Test that you can send an email locally.
 +  - Test all the domains we handle email for.
 +
 +===== Relaying =====
 +
 +We need to allow our users to relay through our SMTP server. If all the users had static IP addresses, we could just list them in ''​mynetworks''​. Unfortunately,​ we have some users who have dynamic IP addresses. There are 3 ways to allow these users to send emails out through our server:
 +  * Use the SASL and LOGIN extensions to SMTP.
 +  * Record the IP address of authenticated POP users, have Postfix use that list.
 +  * Allow any sluug.org email address to send emails out.
 +
 +The first option is the "Right Thing" to do, but is hard to set up on the client and the server. The  second option is moderately easy to set up on the server, and is simple for the client to do. The third option opens us up to spammers, so it's out of the question.
 +
 +We also have a list of static IPs that we allow to replay through us. These are located in ''/​etc/​postfix/​mynetworks''​. This list of IPs was taken from Dark; we do not have any documentation on who was using them. After a few months of production use, we'll check the logs to see which are still being used, and delete the rest. We'll also try to convert all the users to authenticate via SASL/TLS instead of hard-coding their IPs.
  
  
 ==== SMTP Security Extensions (STARTTLS and SASL) ==== ==== SMTP Security Extensions (STARTTLS and SASL) ====
 +
 +Do the [[security|"​Security"​ procedure]] first, if not already done, since you need [[http://​www.openssl.org/​|OpenSSL]] and the postfix certificate for testing.
  
 Most of this was stolen from [[http://​www.jimmy.co.at/​weblog/?​p=52|Jimmys Weblog - Postfix and SASL]] and [[http://​www.nervous.it/​txt/​Postfix-SMTP-AUTH-4-DUMMIES.html|Postfix SMTP-AUTH 4 DUMMIES]]. I admit to blatant cut 'n paste. Most of this was stolen from [[http://​www.jimmy.co.at/​weblog/?​p=52|Jimmys Weblog - Postfix and SASL]] and [[http://​www.nervous.it/​txt/​Postfix-SMTP-AUTH-4-DUMMIES.html|Postfix SMTP-AUTH 4 DUMMIES]]. I admit to blatant cut 'n paste.
  
-===required packges=== +=== Required Packages ​=== 
-First install ​postfix-tls ​and sasl librarys required for postfix+First install ​some prerequisites that are required to get TLS/​SSL ​and SASL working with Postfix.
 <code rootshell>​ <code rootshell>​
-apt-get install ​postfix-tls sasl2-bin libsasl2 libsasl2-modules+apt-get install ​openssl ssl-cert ca-certificates 
 +apt-get install ​sasl2-bin libsasl2 libsasl2-modules 
 +apt-get install postfix-tls
 </​code>​ </​code>​
  
-===saslauthd===+Next, you'll need to create the SSL certificates. We've not documented this part well, but this might do the trick: 
 +<code rootshell>​ 
 +openssl -gencert postfix 
 +</​code>​ 
 + 
 + 
 + 
 +=== saslauthd ===
 Edit ''/​etc/​default/​saslauthd''​ to enable SASL and ensure we're using PAM: Edit ''/​etc/​default/​saslauthd''​ to enable SASL and ensure we're using PAM:
 <​file>​ <​file>​
Line 203: Line 395:
 </​file>​ </​file>​
  
-===smtpd.conf===+=== smtpd.conf ===
 Create ''/​etc/​postfix/​sasl/​smtpd.conf''​ and tell it to use ''​saslauthd''​ for SMTP authentication:​ Create ''/​etc/​postfix/​sasl/​smtpd.conf''​ and tell it to use ''​saslauthd''​ for SMTP authentication:​
-<code rootshell+<file
-echo 'pwcheck_method:​ saslauthd' >> /​etc/​postfix/​sasl/​smtpd.conf +pwcheck_method:​ saslauthd 
-</code>+mech_list: PLAIN LOGIN 
 +</file>
  
-===main.cf=== +=== main.cf === 
-Add SASL configuration directives to ''/​etc/​postfix/​main.cf''​ by using ''​postconf -e''​+Add SASL configuration directives to the Postfix configuration:​
 <code rootshell>​ <code rootshell>​
 postconf -e '​smtpd_sasl_auth_enable=yes'​ postconf -e '​smtpd_sasl_auth_enable=yes'​
Line 218: Line 411:
 </​code>​ </​code>​
  
-To enable TLS SMTP authentication,​ add these options ​to ''/​etc/​postfix/​main.cf''​:+To enable TLS SMTP authentication,​ add these options:
 <code rootshell>​ <code rootshell>​
 postconf -e '​smtpd_use_tls=yes'​ postconf -e '​smtpd_use_tls=yes'​
-postconf -e '​smtpd_tls_auth_only=yes'​[[Internal Link]]+postconf -e '​smtpd_tls_auth_only=yes'​
 postconf -e '​smtp_tls_cert_file=/​etc/​ssl/​postfix.crt'​ postconf -e '​smtp_tls_cert_file=/​etc/​ssl/​postfix.crt'​
 postconf -e '​smtp_tls_key_file=/​etc/​ssl/​private/​postfix.key'​ postconf -e '​smtp_tls_key_file=/​etc/​ssl/​private/​postfix.key'​
Line 229: Line 422:
  
 ===master.cf=== ===master.cf===
-Add or open the following lines in /​etc/​postfix/​master.cf to allow smtps via port 465.+Add or uncomment ​the following lines in /​etc/​postfix/​master.cf to allow SMTPS via port 465.
 <​file>​ <​file>​
 # Turn smtps on for port 465 # Turn smtps on for port 465
Line 239: Line 432:
  
 ===shorewall=== ===shorewall===
-Add the following line to **/​etc/​shorewall/​rules** to open the smtps port in shorewall+Add the following line to **/​etc/​shorewall/​rules** to open the SMTPS port in Shorewall
 <​file>​ <​file>​
 ACCEPT ​ net     ​$FW ​    tcp 465 ACCEPT ​ net     ​$FW ​    tcp 465
 </​file>​ </​file>​
  
-Then restart ​shorewall+Then restart ​Shorewall:
 <​code>​ <​code>​
 /​etc/​init.d/​shorewall restart /​etc/​init.d/​shorewall restart
 </​code>​ </​code>​
  
-===groups=== +See the [[Firewall|"​Firewall"​ procedure]] for more information.
-We need to add ''​postfix''​ to the ''​sasl''​ group so the Postfix programs can read the SASL files. +
-<code rootuser>​ +
-chgrp sasl /​var/​spool/​postfix/​var/​run/​saslauthd +
-adduser postfix sasl +
-</​code>​+
  
 ===chroot=== ===chroot===
Line 264: Line 452:
 </​code>​ </​code>​
  
-===restart and test=== +And move the SASL database to the ''​etc''​ directory of the chrooted environment. ​ See the "​unable to open Berkeley db /​etc/​sasldb2"​ section below for more details. ​ The rest of the ''​etc''​ directory is filled in when postfix ​is started using the ''/​etc/​init.d/​postfix''​ script. 
-Check postfix ​configuration +<​code ​rootshell
-<​code>​ +cd /​var/​spool/​postfix/​etc 
-postfix ​check+cp -p /​etc/​sasldb2 . 
 +mv /​etc/​sasldb2 /​etc/​sasldb2.`date +%F` 
 +ln -s /var/spool/postfix/​etc/​sasldb2 /​etc/​sasldb2
 </​code>​ </​code>​
  
-If all is well restart ​postfix ​and watch the log +===groups=== 
-<​code>​ +We need to add ''​postfix''​ to the ''​sasl''​ group so the Postfix programs can read the SASL files. 
-postfix ​reload ; tail -f /var/log/mail.log+<​code ​rootuser
 +chgrp sasl /var/spool/postfix/​var/​run/saslauthd 
 +adduser postfix sasl
 </​code>​ </​code>​
  
-=== Debugging ​===+===restart and test===
  
-After the above instructions and restarting postfix with "​postfix reload"​ added bud.sluug.org as an "​Outgoing Server (SMTP)"​ in Thunderbird. I set it use Authentication.+Start ''​saslauthd''​ if not done already. 
 +<​code>/​etc/​init.d/saslauthd start</​code>​
  
-{{build:​tbird_sluug_ssl_465.png|Text after picture?​}} +Check postfix configuration
- +
-This gave me these errors:+
 <​code>​ <​code>​
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory +postfix ​check
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: no secret in database +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: unknown[206.197.251.70]:​ SASL CRAM-MD5 authentication failed: authentication failure +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: no secret in database +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: unknown[206.197.251.70]:​ SASL NTLM authentication failed: authentication failure +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: Password verification failed +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: unknown[206.197.251.70]:​ SASL PLAIN authentication failed: generic failure +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory +
-Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: unknown[206.197.251.70]:​ SASL LOGIN authentication failed: generic failure +
-Jul 25 13:46:14 bud postfix/​smtpd[6842]:​ lost connection after AUTH from unknown[206.197.251.70]+
 </​code>​ </​code>​
- ​Seeing "​unable to open Berkeley db /​etc/​sasldb2"​ shows that it is unable to reach the database at /etc/sasldb from the chroot jail. 
  
 +If all is well restart postfix and watch the log
 <​code>​ <​code>​
-  cd /var/spool/postfix/etc +postfix ​reload ; tail -/var/log/mail.log
-  cp -p /​etc/​sasldb2 . +
-  mv /​etc/​sasldb2 /​etc/​sasldb2.`date +%F` +
-  ln -s /var/spool/​postfix/​etc/sasldb2 ​.+
 </​code>​ </​code>​
  
-This removed that error. Retrying brougt ​the errors down to: +If the reload command, if it fails with "''​the Postfix mail system is not running''",​ then it was never started ​in the first place ​Don'​t start with "''​postfix ​start''"​ since this doesn'​t create the files needed ​in the chrotted environment
-<​code>​ +<code rootshell>​ 
-Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: SASL authentication failure: no secret ​in database +/etc/init.d/​postfix ​start
-Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: unknown[206.197.251.70]:​ SASL CRAM-MD5 authentication failed: authentication failure +
-Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: SASL authentication failure: no secret ​in database +
-Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: unknown[206.197.251.70]:​ SASL NTLM authentication failed: authentication failure +
-Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory +
-Jul 25 13:50:40 bud postfix/smtpd[6845]:​ warning: SASL authentication failure: Password verification failed +
-Jul 25 13:50:40 bud postfix/smtpd[6845]:​ warning: unknown[206.197.251.70]:​ SASL PLAIN authentication failed: generic failure +
-Jul 25 13:50:40 bud postfix/smtpd[6845]:​ warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory +
-Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: unknown[206.197.251.70]:​ SASL LOGIN authentication failed: generic failure+
 </​code>​ </​code>​
  
-Found this while googling. It said to look for state_dir and make sure either Postfix or saslauthd can access the directory to meet at the place where saslauthd wants to create the socket. :+Test the connection and check for TLS reply
 <​code>​ <​code>​
-bud:/​var/​spool/​postfix#​ saslauthd -d -a shadow +telnet ​bud.sluug.org 25 
-saslauthd[7579] :main            : num_procs ​ : 5 +Trying 206.196.99.162... 
-saslauthd[7579] :main            : mech_option:​ NULL +Connected to bud.sluug.org
-saslauthd[7579] :main            : run_path ​  : /​var/​run/​saslauthd +Escape character ​is '^]'. 
-saslauthd[7579] :main            : auth_mech ​ : shadow +220 bud.sluug.org ESMTP Postfix 
-saslauthd[7579] :​ipc_init ​       : using accept lock file: /​var/​run/​saslauthd/​mux.accept +helo example.com 
-saslauthd[7579] :​detach_tty ​     : master pid is: 0 +250 bud.sluug.org 
-saslauthd[7579:​ipc_init ​       : listening on socket: /​var/​run/​saslauthd/​mux +starttls 
-saslauthd[7579] :main            : using process model +220 2.0.0 Ready to start TLS 
-saslauthd[7580] :​get_accept_lock : acquired accept lock +exit
-saslauthd[7579] :​have_baby ​      : forked child: 7580 +
-saslauthd[7579] :​have_baby ​      : forked child: 7581 +
-saslauthd[7579] :​have_baby ​      : forked child: 7582 +
-saslauthd[7579] :​have_baby ​      : forked child: 7583+
 </​code>​ </​code>​
  
-Since there was no stat_dir I looked for the socket at /​var/​run/​saslauthd/​mux and it was there until the CLI run process was killed. So I thought I should check to see if saslauthd was still running. Running ps ax | grep "​sasl"​ came up empty. I restarted sasl with  +==== POP-before-SMTP authorization ====
-<​code>/​etc/​init.d/​saslauthd start"</​code>​ +
-And all was fine with the world.+
  
 +TODO. The [[http://​www.postfix.org/​faq.html#​mobile|Postfix FAQ]] has some info on how to accomplish this, at least what needs to be configured on the Postfix side. Check Google for more info.
  
 +===== Virtual Domains =====
  
-==== POP-before-SMTP authorization ==== +For secondary (not the main mail server) systems, you probably don't have any virtual domains ​to define, so you should just skip this section. ​ It can be done later if the need arises.
- +
-TODO. The [[http://​www.postfix.org/​faq.html#​mobile | Postfix FAQ]] has some info on how to accomplish ​this, at least what needs to be configured on the Postfix side. Check Google for more info. +
- +
-==== Virtual Domains ====+
  
 We have several domains, with some forwarded to external addresses and some to local users. We decided to go with virtual alias maps, since all the local recipients currently have local system accounts. The other option would be virtual mailbox maps. This is best for situations where you don't have a UNIX system account for each recipient. Instead of mapping to a user name, recipients are mapped to mailbox files on the filesystem. Large ISPs tend to use this. The 2 methods can also be used at the same time, with some recipients mapping to a local user and some to a local file. We have several domains, with some forwarded to external addresses and some to local users. We decided to go with virtual alias maps, since all the local recipients currently have local system accounts. The other option would be virtual mailbox maps. This is best for situations where you don't have a UNIX system account for each recipient. Instead of mapping to a user name, recipients are mapped to mailbox files on the filesystem. Large ISPs tend to use this. The 2 methods can also be used at the same time, with some recipients mapping to a local user and some to a local file.
  
-You should probably read and understand [[http://​www.postfix.org/​VIRTUAL_README.html | /​usr/​share/​doc/​postfix/​VIRTUAL_README.gz]] before messing with virtual domains.+You should probably read and understand [[http://​www.postfix.org/​VIRTUAL_README.html|/​usr/​share/​doc/​postfix/​VIRTUAL_README.gz]] before messing with virtual domains.
  
 <code rootshell>​ <code rootshell>​
Line 395: Line 550:
 We could even go as far as to dissociate all email accounts from UNIX accounts. However, we have a lot of UNIX users who like to read their email directly, so it's not clear that this would make sense. We could even go as far as to dissociate all email accounts from UNIX accounts. However, we have a lot of UNIX users who like to read their email directly, so it's not clear that this would make sense.
  
-Note that virtual mailboxes also make it trickier to specify the location of the maildir in the IMAP configuration file.+Note that virtual mailboxes also make it trickier to specify the location of the maildir in the [[IMAP|imap]] ​configuration file.
  
 Using virtual mailboxes might make it easier to put users on a separate system from the email server. I.e. we would not have any user accounts on the email server. Using virtual mailboxes might make it easier to put users on a separate system from the email server. I.e. we would not have any user accounts on the email server.
- 
  
 ===== Greylisting ===== ===== Greylisting =====
Line 406: Line 560:
 Postgrey is a greylisting program built with Perl that works well with Postfix. Postgrey is a greylisting program built with Perl that works well with Postfix.
  
-First, install the Postgrey package and its prerequisites.+First, install the Postgrey package and its prerequisites.  This will install extra packages if not already installed: ''​libberkeleydb-perl'',​ ''​libdigest-hmac-perl'',​ ''​libio-multiplex-perl'',​ ''​libnet-cidr-perl'',​ ''​libnet-dns-perl'',​ ''​libnet-ip-perl'',​ and ''​libnet-server-perl''​.
 <code rootshell>​ <code rootshell>​
 apt-get install -y postgrey apt-get install -y postgrey
Line 412: Line 566:
  
 Edit ''/​etc/​default/​postgrey''​ to tune some parameters in ''​POSTGREY_OPTS'':​ Edit ''/​etc/​default/​postgrey''​ to tune some parameters in ''​POSTGREY_OPTS'':​
 +<code rootshell>​
 POSTGREY_OPTS="​--inet=127.0.0.1:​60000 --delay=90 --auto-whitelist-clients=3 --max-age=60"​ POSTGREY_OPTS="​--inet=127.0.0.1:​60000 --delay=90 --auto-whitelist-clients=3 --max-age=60"​
 +</​code>​
  
-You can add lines to ''/​etc/​postgrey/​whitelist_clients.local''​ and ''/​etc/​postgrey/​whitelist_recipients.local''​ if necessary. Check the non-local versions for syntax.+You can create and/​or ​add lines to ''/​etc/​postgrey/​whitelist_clients.local''​ and ''/​etc/​postgrey/​whitelist_recipients.local''​ if necessary. Check the non-local versions for syntax
 +<code rootshell>​ 
 +cat >> /​etc/​postgrey/​whitelist_clients.local << '​EOD'​ 
 +# Client (sender) addresses for which no greylisting should be done. 
 +# The following can be specified for client addresses:​ 
 +#   ​domain.addr ​ "​domain.addr"​ domain and subdomains. 
 +#   ​IP1.IP2.IP3.IP4 
 +#       IP address IP1.IP2.IP3.IP4. You can also leave off one number, 
 +#       in which case only the first specified numbers will be checked. 
 +#   /​regexp/ ​    ​anything that matches "​regexp"​ (the full address is matched).
  
-Start the postgrey daemon:+# SLUUG servers: 
 +128.252.19.8 ​  # michelob 
 +128.252.19.9 ​  # dark 
 +128.252.19.27 ​ # webdev 
 +206.196.99.162 # bud 
 +206.196.99.163 # budlight 
 +206.196.99.164 # ultra 
 +206.196.99.165 # busch 
 + 
 +# Others per request or as needed: 
 +EOD 
 +</​code>​ 
 +<code rootshell>​ 
 +cat >> /​etc/​postgrey/​whitelist_recipients.local << '​EOD'​ 
 +# Recipient addresses for which no greylisting should be done. 
 +# The following can be specified for recipient addresses:​ 
 +#      domain.addr ​       "​domain.addr"​ domain and subdomains. 
 +#      name@              "​name@.*"​ and extended addresses "​name+blabla@.*"​. 
 +#      name@domain.addr ​  "​name@domain.addr"​ and extended addresses. 
 + 
 +# Others per request or as needed: 
 +EOD 
 +</​code>​ 
 + 
 +The installation of postgrey should have started it, but want to retart ​the postgrey daemon ​to pick up the changes:
 <code rootshell>​ <code rootshell>​
 /​etc/​init.d/​postgrey restart /​etc/​init.d/​postgrey restart
Line 429: Line 618:
 </​code>​ </​code>​
  
-===== Startup ​=====+===== And Much More =====
  
-First check to ensure that the configuration files are valid. (If it returns without printing anything, then the configuration is valid.) +Additional mail configuration is in pages for [[spam|SpamAssassin]][[imap|IMAP]], and [[lists|Mailing Lists]].
-<code rootshell>​ +
-postfix check +
-</​code>​ +
- +
-Make sure that there'​s an ''/​etc/​aliases.db''​ file: +
-<code rootshell>​ +
-newaliases +
-</​code>​ +
- +
-Start the Postfix daemons: +
-<code rootshell>​ +
-/​etc/​init.d/​postfix start +
-</​code>​ +
- +
-To make sure the daemons are running, you can check the process table: +
-<code bash> +
-ps auxw grep postfix +
-</​code>​ +
- +
-This should show the 3 daemon processes. It should look something like this: +
-<​code>​ +
-root     ​14126 ​ 0.0  0.2  3656 1328 ? Ss 22:04 0:00 /​usr/​lib/​postfix/​master +
-postfix ​ 14129  0.0  0.2  2964 1096 ? S  22:04 0:00 pickup -l -t fifo -u -c +
-postfix ​ 14130  0.0  0.2  2996 1116 ? S  22:04 0:00 qmgr -l -t fifo -u -c +
-</​code>​ +
- +
-===== Testing ===== +
- +
-There are several things to test in the email system architecture. +
- +
-<​html><​!-- Have to do the HTML by handbecause DokuWiki doesn'​t suppport block elements embedded in list items. --></​html>​ +
-<​html><​ol></​html>​ +
- +
-<​html><​li class="​level1"><​div class="​li"></​html>​ +
-Make sure Postfix'​ SMTP daemon is listening:​ +
-<code bash> +
-netstat -nlp grep -E ':​25|Recv-Q'​ +
-</​code>​ +
-This should show the Postfix ''​master''​ process listening on port 25. In our configurationit's listening on local address 0.0.0.0, which means all interfaces. +
-<​html></​div></​li></​html>​ +
- +
-<​html><​li class="​level1"><​div class="​li"></​html>​ +
-Test connecting to port 25 on the loopback interface:​ +
-<code bash> +
-telnet localhost 25 +
-</​code>​ +
-Make sure the banner looks OK, then type ''​quit''​ to close the connection. +
-<​html></​div></​li></​html>​ +
- +
-<​html><​li class="​level1"><​div class="​li"></​html>​ +
-Test connecting to port 25 on the loopback interface:​ +
-<​code>​ +
-telnet localhost 25 <<​EOF +
-helo hostname +
-mail from: xyz@x.y +
-rcpt to: root@sluug.org +
-data +
-Hello. +
-+
-quit +
-EOF +
-</​code>​ +
-Make sure it's delivered. Check ''/​var/​log/​mail.log'' ​and ''/​root/​Maildir/​new/''​. (Also check /​etc/​aliases to see if mail for root gets delivered somewhere else.) Each message will be in a separate file. Since this is the first message, there should only be one file in the directory. Look at the content of the file to check that the headers and content look right. (If we weren'​t using Maildir, the default delivery would be a file in ''/​var/​spool/​mail''​.) +
-<​html></​div></​li></​html>​ +
- +
-<​html><​li class="​level1"><​div class="​li"></​html>​ +
-Test that you can send an email from an outside address to a local address. +
-<​html></​div></​li></​html>​ +
- +
-<​html><​li class="​level1"><​div class="​li"></​html>​ +
-Test that you can send email out to the Internet: +
-<​code>​ +
-sendmail your_email@address.com <<​EOF +
-Subject: Testing outbound email. +
- +
-This is a test. +
-EOF +
-</​code>​ +
-Make sure it's delivered. Check ''/​var/​log/​mail.log''​ +
-<​html></​div></​li></​html>​ +
- +
- +
-<​html></​ol></​html>​ +
- +
- +
-  - Test that Postfix'​ SMTP daemon understands the STARTTLS and AUTH extensions. +
-  - Test that the SMTP banner is correct. (Meets RFC requirements,​ but doesn'​t tell too much about us.) +
-  - Test that the MX records point to the correct system. +
-  - Test that you can send an email locally. +
-  - Test all the domains we handle email for.+
  
 ===== Notes ===== ===== Notes =====
  
 The ''​mynetworks''​ setting is specific to our IP addresses assigned by Primary Networks and Washington University. The ''​mynetworks''​ setting is specific to our IP addresses assigned by Primary Networks and Washington University.
- 
-We may need to set relayhost, if our ISP doesn'​t allow outbound email, except through their SMTP server. (I.e. if they block port 25 outbound.) 
  
 To completely wipe away the installation and configuration:​ To completely wipe away the installation and configuration:​
Line 535: Line 632:
 Note that this does not remove the dependencies,​ and leaves APT dependency tree invalid. So you really should re-install the package as soon as possible. Note that this does not remove the dependencies,​ and leaves APT dependency tree invalid. So you really should re-install the package as soon as possible.
  
-The [[http://​www.postfix.org/​ | Postfix web site]] has a lot of [[http://​www.postfix.org/​documentation.html | good documentation]].+The [[http://​www.postfix.org/​|Postfix web site]] has a lot of [[http://​www.postfix.org/​documentation.html|good documentation]].
  
 The Debian install is chrooted by default. The Debian install is chrooted by default.
Line 543: Line 640:
 To get a list of all the default configuration options, run ''​postconf -d''​. To get a list of all the default configuration options, run ''​postconf -d''​.
  
-The woodlandchows.com and cab3.dyndns.org domains are currently NOT virutal ​domains, as we're not sure how they should be set up. So their email will go to the user that is specified in the address. I.e. xyz@woodlandchows.com would go to the same recipient as xyz@sluug.org.+The woodlandchows.com and cab3.dyndns.org domains are currently NOT virtual ​domains, as we're not sure how they should be set up. So their email will go to the user that is specified in the address. I.e. xyz@woodlandchows.com would go to the same recipient as xyz@sluug.org.
  
 Ed Wehner says that we don't need to keep the ''​stlk9info.net''​ or ''​westinnkennels.com''​ domains. Ed Wehner says that we don't need to keep the ''​stlk9info.net''​ or ''​westinnkennels.com''​ domains.
- 
  
 ===== TODO ===== ===== TODO =====
 +
   * Once we flip the switch and have the sluug.org MX record point to Bud, we can remove the test.sluug.org from mydomains and from DNS.   * Once we flip the switch and have the sluug.org MX record point to Bud, we can remove the test.sluug.org from mydomains and from DNS.
-  * Once we've migrated all email delivery off of Michelob, we should add ''​mail.sluug.org''​ to ''​mydestination''​. 
   * Run through all the tests. (And develop more/better tests.)   * Run through all the tests. (And develop more/better tests.)
   * Add virtual mailboxes. (Mail accounts that don't require a real user account.)   * Add virtual mailboxes. (Mail accounts that don't require a real user account.)
Line 561: Line 657:
   * Take a look at setting ''​debug_peer_list''​.   * Take a look at setting ''​debug_peer_list''​.
   * Set aliases for ''​postmaster'',​ ''​root'',​ ''​logcheck'',​ ''​www-data'',​ etc.   * Set aliases for ''​postmaster'',​ ''​root'',​ ''​logcheck'',​ ''​www-data'',​ etc.
 +
 +===== Credits =====
 +
 +Installed and configured primarily by Jeff Muse and Craig Buchek. SASL/TLS configuration by Carl Fitch.
 +
 +We used documentation from the following locations to help us configure our installation:​
 +  * http://​workaround.org/​articles/​ispmail-sarge
 +  * Front-end TLS/​SMTP-AUTH configuration based on the [[http://​www.falkotimme.com/​howtos/​postfix_smtp_auth_tls/​index.php|Postfix-SMTP-AUTH-TLS-Howto]]
 +  * Back-end configuration (OLD delivery to Cyrus) based on the [[http://​www.faqs.org/​docs/​Linux-HOWTO/​Postfix-Cyrus-Web-cyradm-HOWTO.html#​POSTFIX-CONFIG|Postfix-Cyrus-Web-cyradm-HOWTO]]
 +
 +Configured Postgrey per documentation at HowtoForge:
 +  * [[http://​www.howtoforge.com/​greylisting_postfix_postgrey|Killing That Spam With Postgrey And Postfix]]
 +
 +===== Comments =====
 +
 +==== Debugging ====
 +
 +After the above instructions and restarting postfix with "​postfix reload"​ added bud.sluug.org as an "​Outgoing Server (SMTP)"​ in Thunderbird. I set it use Authentication.
 +
 +{{build:​tbird_sluug_ssl_465.png|Text after picture?}}
 +
 +This gave me these errors:
 +<​file>​
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: no secret in database
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: unknown[206.197.251.70]:​ SASL CRAM-MD5 authentication failed: authentication failure
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: no secret in database
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: unknown[206.197.251.70]:​ SASL NTLM authentication failed: authentication failure
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: Password verification failed
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: unknown[206.197.251.70]:​ SASL PLAIN authentication failed: generic failure
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication problem: unable to open Berkeley db /​etc/​sasldb2:​ No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
 +Jul 25 13:46:11 bud postfix/​smtpd[6842]:​ warning: unknown[206.197.251.70]:​ SASL LOGIN authentication failed: generic failure
 +Jul 25 13:46:14 bud postfix/​smtpd[6842]:​ lost connection after AUTH from unknown[206.197.251.70]
 +</​file>​
 + ​Seeing "​unable to open Berkeley db /​etc/​sasldb2"​ shows that it is unable to reach the database at /etc/sasldb from the chroot jail.
 +
 +<​code>​
 +cd /​var/​spool/​postfix/​etc
 +cp -p /​etc/​sasldb2 .
 +mv /​etc/​sasldb2 /​etc/​sasldb2.`date +%F`
 +ln -s /​var/​spool/​postfix/​etc/​sasldb2 /​etc/​sasldb2
 +</​code>​
 +
 +This removed that error. Retrying brougt the errors down to:
 +<​file>​
 +Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: SASL authentication failure: no secret in database
 +Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: unknown[206.197.251.70]:​ SASL CRAM-MD5 authentication failed: authentication failure
 +Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: SASL authentication failure: no secret in database
 +Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: unknown[206.197.251.70]:​ SASL NTLM authentication failed: authentication failure
 +Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
 +Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: SASL authentication failure: Password verification failed
 +Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: unknown[206.197.251.70]:​ SASL PLAIN authentication failed: generic failure
 +Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
 +Jul 25 13:50:40 bud postfix/​smtpd[6845]:​ warning: unknown[206.197.251.70]:​ SASL LOGIN authentication failed: generic failure
 +</​file>​
 +
 +Found this while googling. It said to look for state_dir and make sure either Postfix or saslauthd can access the directory to meet at the place where saslauthd wants to create the socket. :
 +<​code>​
 +bud:/​var/​spool/​postfix#​ saslauthd -d -a shadow
 +saslauthd[7579] :main            : num_procs ​ : 5
 +saslauthd[7579] :main            : mech_option:​ NULL
 +saslauthd[7579] :main            : run_path ​  : /​var/​run/​saslauthd
 +saslauthd[7579] :main            : auth_mech ​ : shadow
 +saslauthd[7579] :​ipc_init ​       : using accept lock file: /​var/​run/​saslauthd/​mux.accept
 +saslauthd[7579] :​detach_tty ​     : master pid is: 0
 +saslauthd[7579] :​ipc_init ​       : listening on socket: /​var/​run/​saslauthd/​mux
 +saslauthd[7579] :main            : using process model
 +saslauthd[7580] :​get_accept_lock : acquired accept lock
 +saslauthd[7579] :​have_baby ​      : forked child: 7580
 +saslauthd[7579] :​have_baby ​      : forked child: 7581
 +saslauthd[7579] :​have_baby ​      : forked child: 7582
 +saslauthd[7579] :​have_baby ​      : forked child: 7583
 +</​code>​
 +
 +Since there was no stat_dir I looked for the socket at /​var/​run/​saslauthd/​mux and it was there until the CLI run process was killed. So I thought I should check to see if saslauthd was still running. Running ps ax | grep "​sasl"​ came up empty. I restarted sasl with 
 +<​code>/​etc/​init.d/​saslauthd start"</​code>​
 +And all was fine with the world.
  
 ==== SSL Key Generation ==== ==== SSL Key Generation ====
 +
 +**This section is obsolete, and should be deleted once others confirm it no longer has value. ​ It duplicates the security page, and the [[security|"​Security"​ procedure]] is better.**
  
 The following is from the Omnitec Wiki: The following is from the Omnitec Wiki:
Line 595: Line 778:
 chown :postfix /​etc/​ssl/​postfix.crt chown :postfix /​etc/​ssl/​postfix.crt
 </​code>​ </​code>​
- 
- 
-===== Credits ===== 
- 
-Installed and configured primarily by Jeff Muse and Craig Buchek. SASL/TLS configuration by Carl Fitch. 
- 
-We used documentation from the following locations to help us configure our installation:​ 
-  * http://​workaround.org/​articles/​ispmail-sarge 
-  * Front-end TLS/​SMTP-AUTH configuration based on the [[http://​www.falkotimme.com/​howtos/​postfix_smtp_auth_tls/​index.php | Postfix-SMTP-AUTH-TLS-Howto]] 
-  * Back-end configuration (OLD delivery to Cyrus) based on the [[http://​www.faqs.org/​docs/​Linux-HOWTO/​Postfix-Cyrus-Web-cyradm-HOWTO.html#​POSTFIX-CONFIG | Postfix-Cyrus-Web-cyradm-HOWTO]] 
- 
-Configured Postgrey per documentation at HowtoForge: 
-  * [[http://​www.howtoforge.com/​greylisting_postfix_postgrey | Killing That Spam With Postgrey And Postfix]] 
- 
-===== Comments ===== 
build/postfix.1186361215.txt.gz · Last modified: 2007/08/05 19:46 by 24.217.108.17