Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 3

Want to support HowtoForge? Become a subscriber!
 
Submitted by topdog (Contact Author) (Forums) on Sun, 2008-03-02 18:38. ::

Configuration

Postfix Setup

Introduction

We will be setting up postfix with the following features:

  • Virtual hosting
  • UCE prevention
  • Anti virus
  • SMTP authentication
  • TLS
  • RBLs
  • SPF
  • Attack mitigation

The adding of accounts and domains with be configured through virtualmin although it can be done manually as well. The setup is designed to be resource friendly so should be able to run on machines that are not over spec'ed so enabling the resources to be put to better use. To make it resource friendly we are not using external databases to store virtual user information like most other how-to's do as well as using milters for spam and virus checking as opposed to running amavisd-new.

 

The Basics

To begin with we will configure the basics such as the hostname, mail origin, networks, hash maps spool directory. All these configuration options should be added to /etc/postfix/main.cf unless stated. Sample configuration files are available for download at the end of this page.

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mydomain = example.com
myorigin = $mydomain
mynetworks = 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
recipient_canonical_maps = hash:/etc/postfix/canonical
virtual_alias_maps = hash:/etc/postfix/virtual
mail_spool_directory = /var/spool/mail

 

Maildir

We will use the much improved maildir format as opposed to the default mbox format:

home_mailbox = Maildir/

 

SASL

To perform SMTP authentication we will be using SASL, however we will not use the Cyrus SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

 

TLS

We need TLS to ensure that the plain text passwords are not transmitted over the wire during SMTP authentication, servers that support TLS are also able to communicate with this server over a secured connection.

Instructions on creating your server certificate signed by cacert.org are can be found here.

  • Set TLS random source:
tls_random_source = dev:/dev/urandom
  • Enable server TLS:
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/postfix/key.pem
smtpd_tls_cert_file = /etc/pki/postfix/server.pem
smtpd_tls_CAfile = /etc/pki/postfix/root.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
  • Enable client TLS:
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/postfix/key.pem
smtp_tls_cert_file = /etc/pki/postfix/server.pem
smtp_tls_CAfile = /etc/pki/postfix/root.crt
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache
smtp_tls_note_starttls_offer = yes

 

Spam Prevention

  • Require a valid EHLO / HELO:
smtpd_helo_required = yes
  • Prevent email address harvesting attacks:
disable_vrfy_command = yes
  • Change reject codes to permanent (by default postfix issues 4xx error codes which implies temporary failure we need 5xx for permanent errors):
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
unknown_local_recipient_reject_code = 550
  • Setup sender address verification:
address_verify_map = btree:/var/spool/postfix/verify
smtpd_sender_restrictions = hash:/etc/postfix/sender_access
  • Create /etc/postfix/sender_access and add:
#sample /etc/postfix/sender_access contains frequently spoofed domains
aol.com     reject_unverified_sender
hotmail.com reject_unverified_sender
yahoo.com reject_unverified_sender
gmail.com reject_unverified_sender
bigfoot.com reject_unverified_sender
  • Mitigate attacks from zombies and broken clients:
smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
  • Only allow pipelining from authenticated clients:
smtpd_data_restrictions = reject_unauth_pipelining
  • Install postfix-policyd-spf-perl and enable SPF support:

wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz
tar xzvf postfix-policyd-spf-perl-2.005.tar.gz
cd postfix-policyd-spf-perl-2.005
cp postfix-policyd-spf-perl /etc/postfix/

Add this to /etc/postfix/master.cf:

spfpolicy unix  -       n       n       -       -       spawn user=nobody argv=/usr/bin/perl /etc/postfix/postfix-policyd-spf-perl
  • Add DKIM support:

Instructions on adding DKIM support can be found here.

  • Add domainkeys support:

Instructions on adding domainkeys support can be found here.

  • Getting it all to work depends on the smtpd_recipient_restrictions option so we set it below:
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/access
        reject_unknown_recipient_domain
        reject_unknown_sender_domain
        reject_unverified_recipient
        reject_non_fqdn_recipient
        reject_non_fqdn_sender
        reject_invalid_hostname
        reject_rbl_client list.dsbl.org
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client l1.spews.dnsbl.sorbs.net
        reject_rbl_client combined.njabl.org
        reject_rbl_client bl.spamcop.net
        reject_rhsbl_sender dsn.rfc-ignorant.org
        reject_rhsbl_sender bogusmx.rfc-ignorant.org
        reject_rhsbl_sender rhsbl.sorbs.net
        reject_rhsbl_client dsn.rfc-ignorant.org
        reject_rhsbl_client bogusmx.rfc-ignorant.org
        reject_rhsbl_client rhsbl.sorbs.net
        check_policy_service unix:private/spfpolicy

 

Milters [SpamAssassin & ClamAV]

For your spam classification using spamassassin and virus scanning using clamav we will be using postfix's milter interface instead of using the resource intensive amavisd-new daemon. This is a very efficient way of doing it as we don't even have to run clamd the clamav milter does the scanning itself.

smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
non_smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock

 

Create DB Files

postmap /etc/postfix/canonical
postmap /etc/postfix/access
postmap /etc/postfix/virtual
postmap /etc/postfix/sender_access

 

Sample Configuration Files


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by user99 (registered user) on Mon, 2008-07-28 13:12.

You've done a great job here.  I ran across some errors, but worked through each so far.  

I need some clarification on one point, though:

You appear to be configuring postfix to use secure authentication.  As the hosting provider, my domain may be xyzhosting.com, but my clients will all have their own domains which will use mail under each.

So, as I follow your tutorial, should I be using my own host name (i/e server.xyzhosting.com) in place of example.com, when creating server certificates, and/or generating keys for DKIM?

Will I have to manually configure each client this way?

Please excuse my ignorance, but this is all very new to me.

Thanks

 Joe

 

 

Submitted by topdog (registered user) on Wed, 2008-07-30 09:19.

1. Yes for outbound mail they will have to use your domain name as the smtp server hostname as the certificate will hold your name, for receiving however they can use their own domain name for the imap/pop3 server hostname.

2. As for DKIM you can have multiple keys so you can sign mail for all your customers domains.

Submitted by Amr_not_Amr (registered user) on Wed, 2008-03-26 09:00.

It's really a very good tutorial, it just might need some tuning ... anyway I suggest those modifications to main.cf for better performance ... this is a modified copy of http://www.topdog-software.com/files/main.cf.gz with modifications applied .. Modification are mainly to allow non-tls smtp authentication and to stop buggy slow recipient address verification and use "reject_unlisted_recipient" instead .. http://pastebin.com/f5cb8f44

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
#mydomain = example.com
#myorigin = $mydomain
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
mynetworks = 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
recipient_canonical_maps = hash:/etc/postfix/canonical
#address_verify_map = btree:/var/spool/postfix/verify
smtpd_sender_restrictions = hash:/etc/postfix/sender_access
mail_spool_directory = /var/spool/mail
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/postfix/smtpd.key
smtpd_tls_cert_file = /etc/pki/postfix/smtpd.crt
smtpd_tls_CAfile = /etc/pki/postfix/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/postfix/smtpd.key
smtp_tls_cert_file = /etc/pki/postfix/smtpd.crt
smtp_tls_CAfile = /etc/pki/postfix/cacert.pem
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache
smtp_tls_note_starttls_offer = yes
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_banner = tds mail cluster
smtpd_helo_required = yes
disable_vrfy_command = yes
show_user_unknown_table_name = no
policy_time_limit = 3600
smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
non_smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/access
        reject_unknown_recipient_domain
        reject_unknown_sender_domain
        #reject_unknown_hostname
        #reject_unknown_client
        #reject_unverified_recipient
        reject_unlisted_recipient
        #reject_unverified_sender
        reject_non_fqdn_recipient
        reject_non_fqdn_sender
        #reject_non_fqdn_hostname
        reject_invalid_hostname
        reject_rbl_client list.dsbl.org
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client l1.spews.dnsbl.sorbs.net
        reject_rbl_client combined.njabl.org
        reject_rbl_client bl.spamcop.net
        reject_rhsbl_sender dsn.rfc-ignorant.org
        reject_rhsbl_sender bogusmx.rfc-ignorant.org
        reject_rhsbl_sender rhsbl.sorbs.net
        reject_rhsbl_client dsn.rfc-ignorant.org
        reject_rhsbl_client bogusmx.rfc-ignorant.org
        reject_rhsbl_client rhsbl.sorbs.net
        check_policy_service unix:private/spfpolicy 

Submitted by topdog (registered user) on Wed, 2008-03-26 11:59.
reject_unlisted_recipient seems like a good idea i will update the sample config Actually i have smtp auth over tls only on purpose due to the fact that LOGIN and PLAIN authentication methods which are used by M$ clients are not secure and can lead to the user details being captured by anyone who is eaves dropping on the traffic, but i guess getting users to setup TLS on the client side is a pain at times.