Virtual Users With Postfix, PostfixAdmin, Courier, Mailscanner, ClamAV On CentOS - Page 3

Want to support HowtoForge? Become a subscriber!
 
Submitted by thim (Contact Author) (Forums) on Thu, 2007-02-01 17:15. ::

SASL (for SMTP-AUTH)

Next we are going to configure our Postfix so that I will use the authdaemon.

vi /usr/lib64/sasl2/smtpd.conf

# smtpd.conf
pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path:/usr/var/spool/authdaemon/socket

NOTICE: /usr/lib64/sasl2/smtpd.conf For i386 architecture please use this: /usr/lib/sasl2/smtpd.conf

chown root.vmail /usr/lib64/sasl2/smtpd.conf
chmod 640 /usr/lib64/sasl2/smtpd.conf

Secure the smtpd config file. Courier's autdaemond socket and pid directory must be readable by Postfix:

chmod 755 /usr/var/spool/authdaemon/

 

Postfix > master.cf

The master.cf file contains all the directives concerning the daemons and network settings.

vi /etc/postfix/master.cf

 ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

We want to make it possible to let user access the SMTP over SSL (smtps), so all we have to do is remove the comment in front of the smtps line like so.

==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

We also want our postfix to listen on an extra port, because some ISP block the usage of the default smtp port (25). This is done to prevent spam. So add an extra rule right below the first rule of smtp with the port we want to use, in our case port 567. Also make sure your firewall has enabled this port.

==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
567	    inet  n       -       n       -       -       smtpd
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

Make also sure the path to the maildrop binary is correct, so at the bottom of the file change

flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

into

flags=DRu user=vmail argv=/usr/bin/maildrop -d ${recipient}

 

Postfix > main.cf

The main.cf file contains all the directives concerning the postfix settings.

vi /etc/postfix/main.cf

# make the following changes :
myhostname  = mail.yourdomain.com
mydomain  = yourdomain.com
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mynetworks  = $config_directory/mynetworks
##relayhost = [smarthost.isp.be]  #if you have a smarthost server
relay_domains = mysql:/etc/postfix/mysql_relay_domains_maps.cf
alias_maps  = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Next, add all these to the bottom of the file :
#
# Virtual Mail Mysql settings
#
virtual_alias_maps      = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_uid_maps        = static:1001
virtual_gid_maps        = static:1001
virtual_mailbox_base    = /opt/mail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit   = 51200000
virtual_mailbox_maps    = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid     = 1001
# Who handles the mail delivery?
# POSTFIX  = virtual
# MAILDROP = maildrop
#
#virtual_transport = virtual
virtual_transport = maildrop
maildrop_destination_recipient_limit = 1
# Transport map
transport_maps = hash:/etc/postfix/transport
vacation_destination_recipient_limit = 1
# Additional for quota support
virtual_create_maildirsize     = yes
virtual_mailbox_extended       = yes
virtual_mailbox_limit_maps     = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message  = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.

###################################################################################
### ENABLE SASL SUPPORT ( SMTP-AUTH )
# smtpd_sasl_auth_enable  = yes
#   Enable SASL support in postfix
# smtpd_sasl_security_options = noanonymous
#   Anonymous logins will not be permitted
# broken_sasl_auth_clients  = yes
#   Allow RFC-broken mail clients like Outlook Express4 to use SMTP AUTH
# smtpd_sasl_path   = smptd
#   Tells SASL to get the config from /usr/lib64/sasl2/smptd.conf
# smtpd_sasl_local_domain =
#   If the user fails to nominate a domain, don't auto append one
# smtpd_sasl_authenticated_header = yes
#   Include the authenticated username in the message headers.
#   Having this on will make it easier if a spammer cracks one of your user's weak passwords,
#   and starts using SMTP-AUTH to relay spam through your server
smtpd_sasl_auth_enable          = yes
smtpd_sasl_security_options     = noanonymous
broken_sasl_auth_clients        = yes
smtpd_sasl_path                 = smptd
smtpd_sasl_local_domain         =
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions    =  permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client opm.blitzed.org,reject_rbl_client list.dsbl.org,reject_rbl_client bl.spamcop.net,reject_rbl_client sbl-xbl.spamhaus.org
###################################################################################
### ENABLE TLS SUPPORT ( "STARTTLS" ... enables SSL to be negotiated during a SMTP connection )
# smtp_use_tls = no
#   dont enable TLS for outbound SMTP connections
# smtpd_use_tls = yes
#   announce TLS availability for incoming SMTP connections
# smtpd_tls_auth_only = no :
#   TLS is optional, not enforced
# smtpd_tls_key_file :
#   specify the private key ( must not be encrypted - ie no password)
# smtpd_tls_cert_file :
#   specify the certificate
# smtpd_tls_session_cache_database :
#   nominate a server-side TLS session cache. Improves performance.
# smtpd_tls_loglevel = 1 :
#   log basic TLS handshake and cert info
# smtpd_tls_received_header = yes
#   record some protocol/cipher etc info in the Received header smtp_use_tls = no
smtp_use_tls                     = no
smtpd_use_tls                    = yes
smtpd_tls_auth_only              = no
smtpd_tls_key_file               = /usr/local/ssl/mail.yourdomain.com.key
smtpd_tls_cert_file              = /usr/local/ssl/mail.yourdomain.com.crt
smtpd_tls_session_cache_database = btree:/etc/postfix/tls_smtpd_scache
smtpd_tls_loglevel               = 1
smtpd_tls_received_header        = yes

Next we have to create all mysql-virtual files, like referenced in the main.cf.

Note "hosts = localhost" means Postfix will use sockets, "hosts = 127.0.0.1" means Postfix will use TCP. I would advise to use, sockets are faster than TCP.

My socket is located /usr/local/mysql/data/mysql.sock but your mysql socket can be different. So in my personal host file I would use hosts = unix:/usr/local/mysql/data/mysql.sock
but you can use just hosts = localhost.

vi /etc/postfix/mysql_virtual_alias_maps.cf

user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = 1

vi /etc/postfix/mysql_virtual_domains_maps.cf

user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s'
#optional query to use when relaying for backup MX
#query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '0' and active = '1'

vi /etc/postfix/mysql_virtual_mailbox_maps.cf

user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1

vi /etc/postfix/ mysql_virtual_mailbox_limit_maps.cf

user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s'

vi /etc/postfix/ mysql_relay_domains_maps.cf

user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1'

These files contain our database username/password, so tighten the security a bit:

chown root.postfix /etc/postfix/mysql_*.cf
chmod 640 /etc/postfix/mysql_*.cf

Now we need to populate the mynetworks file. This file lists the IPs that are able to "relay" mail through your server. We put localhost into this file, so that scripts running on this server can relay mail to the internet. For all other users who have mailboxes on your server, when sending mail they can either use SMTP-AUTH, or alternatively they could set their email client's SMTP server settings to point to their ISP's mail server.

echo '# Localhost' > /etc/postfix/mynetworks
echo '127.0.0.0/8' >>/etc/postfix/mynetworks
echo '' >>/etc/postfix/mynetworks

If you have workstations on a LAN, or other users on the internet with fixed-ip addresses, you can add them here as well, and these users will then be permitted to relay mail.

echo '# MyCompany blocks' >>/etc/postfix/mynetworks
echo 'xxx.xxx.xxx.xxx/24' >>/etc/postfix/mynetworks
echo 'yyy.yyy.yyy.yyy/24' >>/etc/postfix/mynetworks

Tweak the aliases file. These mappings are used for system related mails eg crontab messages, postfix bounces etc.

vi /etc/aliases

root:    someone@yourdomain.com

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by larso (not registered) on Wed, 2010-09-29 17:03.

Attention please! 

  • smtpd_sasl_path = smptd

Should be

  • smtpd_sasl_path = smtpd 

Cost me two days, it's soo hard to spot!

Submitted by pksings (registered user) on Tue, 2007-02-06 18:09.

All of this functionality is built into the Zimbra Open Source, which can be downloaded for free, installed and used without purchasing a license, it's GPL.  And has CENTOS packages available already.  And has an excellent support community which will help with questions and problems.

Pretty much anyone who needs this tutorial would be better off getting Zimbra, way less opportunity for error.

 

Great job though...