The Perfect Server - CentOS 5.2 - Page 5

11 Postfix With SMTP-AUTH And TLS

Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Next we configure SMTP-AUTH and TLS:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8'

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 64Bit Centos 5.2 you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should look like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):

postconf -e 'myhostname = server1.example.com'

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server1.example.com

By default, CentOS' Dovecot daemon provides only IMAP and IMAPs services. Because we also want POP3 and POP3s we must configure Dovecot to do so. We edit /etc/dovecot.conf and enable the line protocols = imap imaps pop3 pop3s:

vi /etc/dovecot.conf

[...]
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Protocols we want to be serving: imap imaps pop3 pop3s
# If you only want to use dovecot-auth, you can set this to "none".
protocols = imap imaps pop3 pop3s

# IP or host address where to listen in for connections. It's not currently
# possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
# "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4
# interfaces depending on the operating system.
[...]

Now start Postfix, saslauthd, and Dovecot:

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine.

[root@server1 ssl]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#

Type

quit

to return to the system's shell.

 

11.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)):

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

Share this page:

27 Comment(s)

Add comment

Comments

From: at: 2008-07-23 13:27:14

ncftp does not install during the yum install command. ncftp is not listed during a yum list ncftp*

 

 

From: Noodle2732 at: 2008-09-14 15:19:46

I had the same prob, i managed to get around it though after a bit of searching google.

btw i am a linux n00b so if this is the wrong waay to do things then i apologize.

I had to add the Karan extras testing repo and set gpgcheck=0 then it installed

vi /etc/yum.conf

add this to the bottom:

[ kbs-CentOS-Testing]

name=CentOS.Karan.Org-ELS - Testing

gpgcheck=0

gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt

enabled=1

baseurl=http://centos.karan.org/el5/extras/testing/i386/RPMS/

Then import the key

rpm --import  http://centos.karan.org/RPM-GPG-KEY-karan.org.txt

 

And then finally install ncftp

yum install ncftp

From: Anonymous at: 2008-11-19 03:32:33

worked for me, thanks Noodle

From: gobok at: 2008-12-15 04:22:31

thanks for the ncftp

 and the updated repo is supposed to be in

 /etc/yum.repos.d/CentOS-Base.repo

From: at: 2008-08-30 18:53:38

yum install openssl-devel

is also needed for ISPConfig to successfully complete PHP compilation

From: admin at: 2008-08-31 08:17:07

These packages are already installed if you select the same package groups as I did during the initial system installation.

From: at: 2008-08-30 18:56:26

yum install zlib-devel is also needed to compile PHP for ISPConfig.

From: rezilient1 at: 2008-11-18 20:10:26

This line doesn't work for me, same issue for anyone else?  Is it important?  I confirmed the root password was successfull set, what does this do?

# mysqladmin -h server1.example.com -u root password yourrootsqlpassword

From: Milan at: 2009-01-15 13:45:45

Read step 4 of this howto carefully. It is important to assign server1.example.com (replace with Your server name) to actual IP address of the server.

From: Augusto at: 2009-01-07 12:05:44

It doesn't seem to work fine. I can't find the option "-h" for the command mysqladmin:

http://dev.mysql.com/doc/refman/5.1/en/mysqladmin.html

 If you can access to the mysql server, then it's ok:

[root@hello tmp]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 14 to server version: 5.1

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>


From: Narcarsiss at: 2010-07-06 01:42:22

Easy fix Apply -p after password

for example; mysqladmin -h Xeon.com -u root password -p ********************

 Cheers Narcarsiss

From: Anonymous at: 2009-03-16 17:24:53

use this to fix it.  worked for me.

From: Mike Shafer at: 2009-05-15 02:31:08

Great bit of work. I followed this to the letter and it worked perfectly. Learned a few new tricks on the process! Thanks for the efforts.

Mike Shafer

From: at: 2008-08-30 18:38:07

This manual is missing just one thing relative to ISPConfig. It requires flex package to be installed (2.2.25 at least). So, `yum install flex` is needed

From: Anonymous at: 2009-02-11 11:27:56

Hy

This tutorial is very good but I have a problem. When I try to install proftpd  it just don't stop to checking. I leave server to install 24 hours but it still checking. I can't complete install. I saw an warning message:

make: Warning: File `Make.rules.in' has modification time 1e+08 s in the future

 What could be a problem?

 

 

From: Jeremy at: 2008-12-01 16:54:23

Great Tutorial.

I have always setup LAMP for local development, but have been wanting to do some smaller sites in house.

Followed your tutorial almost step-by-step (I prefer building php).

From: ip-adresa at: 2008-09-11 09:57:06

Thank You for great tutorial! I am going to install CentOS on my small server. Well done :-)

From: javsan at: 2008-10-13 05:41:51

Really, a good manual. Thanks you very much.

From: Kuzmich at: 2008-11-14 10:58:02

It is need flex for ./setup

yum install flex

From: PanzerThorr at: 2008-11-18 10:08:53

On the 64bits version of CentOS i need to do this because the installation crash :

yum install openssl-devel flex zlib-devel libxml2-devel libpng-devel libxslt-devel

From: rezilient at: 2008-11-20 03:39:55

I still needed the following in order to install ISPConfig 3.0.

        postgresql-devel is needed by courier-authlib-0.61.0-1.x86_64
        expect is needed by courier-authlib-0.61.0-1.x86_64
        /usr/include/ltdl.h is needed by courier-authlib-0.61.0-1.x86_64
 

From: Anonymous at: 2008-12-31 00:03:52

I followed this setup to install ISPConfig, and sure, this tutorial may be comprehensive, but it left me with A TON of unanswered questions and problems that made it seem not worth putting in the time to finish. Honestly, at this point, I may just wipe it and install a fresh copy of Centos and pay for cpanel. It will be cheaper in the end.....

From: Simon at: 2009-01-19 13:52:11

I followed this tutorial through and everything works great but PHP doesn't load mysql by default.

I check phpinfo() and it doesn't show mysql as loaded. I know its a bit of a noob question  and it should be obvious.

From: Elber at: 2009-02-22 01:58:42

Muchas gracias amigos (Thank so much!!!) Excelente documentación!!!

From: Jason Barnett at: 2009-02-09 19:13:45

...but after seven pages of excellent documentation I would have expected the job to be finished properly with detailed steps on how to install ISPConfig.

In my opinion this takes the shine of an otherwise excellent how-to.

From: Jason Barnett at: 2009-02-09 19:21:32

Here are some quick and dirty instructions for installing ISPConfig:

cd /tmp
http://prdownloads.sourceforge.net/ispconfig/ISPConfig-2.2.29.tar.gz?download
tar xvzf ISPConfig-2.2.29.tar.gz
cd install_ispconfig
./setup

Accepting all the defaults will do the job quite nicely.

From: Anonymous at: 2010-02-23 17:05:04

Mi server is working very nice. Thank you