The Perfect Server - CentOS 5.2 - Page 5

11 Postfix With SMTP-AUTH And TLS

Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Next we configure SMTP-AUTH and TLS:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks ='

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 64Bit Centos 5.2 you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should look like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Then we set the hostname in our Postfix installation (make sure you replace with your own hostname):

postconf -e 'myhostname ='

After these configuration steps you should now have a /etc/postfix/ that looks like this (I have removed all comments from it):

cat /etc/postfix/

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
mynetworks =
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname =

By default, CentOS' Dovecot daemon provides only IMAP and IMAPs services. Because we also want POP3 and POP3s we must configure Dovecot to do so. We edit /etc/dovecot.conf and enable the line protocols = imap imaps pop3 pop3s:

vi /etc/dovecot.conf

# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Protocols we want to be serving: imap imaps pop3 pop3s
# If you only want to use dovecot-auth, you can set this to "none".
protocols = imap imaps pop3 pop3s

# IP or host address where to listen in for connections. It's not currently
# possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
# "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4
# interfaces depending on the operating system.

Now start Postfix, saslauthd, and Dovecot:

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines




everything is fine.

[root@server1 ssl]# telnet localhost 25
Connected to localhost.localdomain (
Escape character is '^]'.
220 ESMTP Postfix
ehlo localhost
250-SIZE 10240000
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#



to return to the system's shell.


11.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)):

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

Share this page:

27 Comment(s)

Add comment


From: at: 2008-07-23 13:27:14

ncftp does not install during the yum install command. ncftp is not listed during a yum list ncftp*



From: Noodle2732 at: 2008-09-14 15:19:46

I had the same prob, i managed to get around it though after a bit of searching google.

btw i am a linux n00b so if this is the wrong waay to do things then i apologize.

I had to add the Karan extras testing repo and set gpgcheck=0 then it installed

vi /etc/yum.conf

add this to the bottom:

[ kbs-CentOS-Testing]

name=CentOS.Karan.Org-ELS - Testing





Then import the key

rpm --import


And then finally install ncftp

yum install ncftp

From: Anonymous at: 2008-11-19 03:32:33

worked for me, thanks Noodle

From: gobok at: 2008-12-15 04:22:31

thanks for the ncftp

 and the updated repo is supposed to be in


From: at: 2008-08-30 18:53:38

yum install openssl-devel

is also needed for ISPConfig to successfully complete PHP compilation

From: admin at: 2008-08-31 08:17:07

These packages are already installed if you select the same package groups as I did during the initial system installation.

From: at: 2008-08-30 18:56:26

yum install zlib-devel is also needed to compile PHP for ISPConfig.

From: rezilient1 at: 2008-11-18 20:10:26

This line doesn't work for me, same issue for anyone else?  Is it important?  I confirmed the root password was successfull set, what does this do?

# mysqladmin -h -u root password yourrootsqlpassword

From: Milan at: 2009-01-15 13:45:45

Read step 4 of this howto carefully. It is important to assign (replace with Your server name) to actual IP address of the server.

From: Augusto at: 2009-01-07 12:05:44

It doesn't seem to work fine. I can't find the option "-h" for the command mysqladmin:

 If you can access to the mysql server, then it's ok:

[root@hello tmp]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 14 to server version: 5.1

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


From: Narcarsiss at: 2010-07-06 01:42:22

Easy fix Apply -p after password

for example; mysqladmin -h -u root password -p ********************

 Cheers Narcarsiss

From: Anonymous at: 2009-03-16 17:24:53

use this to fix it.  worked for me.

From: Mike Shafer at: 2009-05-15 02:31:08

Great bit of work. I followed this to the letter and it worked perfectly. Learned a few new tricks on the process! Thanks for the efforts.

Mike Shafer

From: at: 2008-08-30 18:38:07

This manual is missing just one thing relative to ISPConfig. It requires flex package to be installed (2.2.25 at least). So, `yum install flex` is needed

From: Anonymous at: 2009-02-11 11:27:56


This tutorial is very good but I have a problem. When I try to install proftpd  it just don't stop to checking. I leave server to install 24 hours but it still checking. I can't complete install. I saw an warning message:

make: Warning: File `' has modification time 1e+08 s in the future

 What could be a problem?



From: Jeremy at: 2008-12-01 16:54:23

Great Tutorial.

I have always setup LAMP for local development, but have been wanting to do some smaller sites in house.

Followed your tutorial almost step-by-step (I prefer building php).

From: ip-adresa at: 2008-09-11 09:57:06

Thank You for great tutorial! I am going to install CentOS on my small server. Well done :-)

From: javsan at: 2008-10-13 05:41:51

Really, a good manual. Thanks you very much.

From: Kuzmich at: 2008-11-14 10:58:02

It is need flex for ./setup

yum install flex

From: PanzerThorr at: 2008-11-18 10:08:53

On the 64bits version of CentOS i need to do this because the installation crash :

yum install openssl-devel flex zlib-devel libxml2-devel libpng-devel libxslt-devel

From: rezilient at: 2008-11-20 03:39:55

I still needed the following in order to install ISPConfig 3.0.

        postgresql-devel is needed by courier-authlib-0.61.0-1.x86_64
        expect is needed by courier-authlib-0.61.0-1.x86_64
        /usr/include/ltdl.h is needed by courier-authlib-0.61.0-1.x86_64

From: Anonymous at: 2008-12-31 00:03:52

I followed this setup to install ISPConfig, and sure, this tutorial may be comprehensive, but it left me with A TON of unanswered questions and problems that made it seem not worth putting in the time to finish. Honestly, at this point, I may just wipe it and install a fresh copy of Centos and pay for cpanel. It will be cheaper in the end.....

From: Simon at: 2009-01-19 13:52:11

I followed this tutorial through and everything works great but PHP doesn't load mysql by default.

I check phpinfo() and it doesn't show mysql as loaded. I know its a bit of a noob question  and it should be obvious.

From: Elber at: 2009-02-22 01:58:42

Muchas gracias amigos (Thank so much!!!) Excelente documentación!!!

From: Jason Barnett at: 2009-02-09 19:13:45

...but after seven pages of excellent documentation I would have expected the job to be finished properly with detailed steps on how to install ISPConfig.

In my opinion this takes the shine of an otherwise excellent how-to.

From: Jason Barnett at: 2009-02-09 19:21:32

Here are some quick and dirty instructions for installing ISPConfig:

cd /tmp
tar xvzf ISPConfig-2.2.29.tar.gz
cd install_ispconfig

Accepting all the defaults will do the job quite nicely.

From: Anonymous at: 2010-02-23 17:05:04

Mi server is working very nice. Thank you