B. Secure Postfix+TLS

To begin with, we're going to need to install postfix on secure-mail.example.com. This particular install doesn't need quota support (It doesn't handle local delivery), but just to keep things simple, we're going to install it the same way we did above:

# dpkg -i postfix_2.3.8-2_i386.deb
# dpkg -i postfix-mysql_2.3.8-2_i386.deb

If/when the auto-configuration asks you questions about postfix during the installation, just select "No Configuration"

dpkg is going to install all of the configuration files for Postfix into /etc/postfix, so go there, and create the file main.cf:

# cd /etc/postfix
# touch main.cf

The main.cf file can be edited using two different methods. You can use your favorite text editor, or you can use the built-in postfix toolpostconf. We've already used postconf once to determine our version in subsection IV.A above.

The real benefit of the postconf tool is that it has some built in error checking, and it eliminates the possibility of 'weirdness' due to carriage returns, line feeds, odd quotes, etc. We'll be using it in this guide, but there really is no requirement.

Start by filling in the basic information:

# postconf -e 'myhostname = secure-mail.example.com'
# postconf -e 'smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)'
# postconf -e 'biff = no'
# postconf -e 'append_dot_mydomain = no'
# postconf -e 'myorigin = example.com'
# postconf -e 'inet_interfaces = all'
# postconf -e 'local_recipient_maps ='
# postconf -e 'local_transport = error:local mail delivery is disabled'
# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, reject'

You'll notice that this time we disabled local delivery.  Since this is basically just an outbound relay server, we don't want it trying to 'deliver'
any mail... just send it forward.  We also set the SMTP server to only permit SASL authenticated sessions, and reject any other sessions.

Now we'll want to fill in the information for SASL (SMTP Authentication). This does NOT encrypt the connection, it just requires the users to log in:

# postconf -e 'smtpd_sasl_auth_enable = yes'
# postconf -e 'smtpd_sasl_security_options = noanonymous'
# postconf -e 'broken_sasl_auth_clients = yes'
# postconf -e 'smtpd_sasl_type = dovecot'
# postconf -e 'smtpd_sasl_path = private/auth'

So now your postfix install will query dovecot for all of it's authentication needs, but it's still not encrypted. Let's go ahead and change that...

# postconf -e 'smtpd_tls_cert_file = /etc/ssl/example.com/mailserver/mail-cert.pem'
# postconf -e 'smtpd_tls_key_file = /etc/ssl/example.com/mailserver/mail-key.pem'
# postconf -e 'smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache'
# postconf -e 'smtpd_tls_security_level = encrypt'
# postconf -e 'smptd_tls_received_header = no'
# postconf -e 'smtpd_tls_loglevel = 0'
# postconf -e 'tls_random_source = dev:/dev/urandom'

Go ahead and reload postfix...

# postfix reload

And then let's get Dovecot up and running...

This page is licensed under a Creative Commons License.