The Perfect Server - Gentoo 2007.0 - Page 5
12 Postfix with SMTP-AUTH and TLS
First we want to set the USE flags appropriately.
echo "mail-mta/postfix sasl" >> /etc/portage/package.use
echo "dev-libs/cyrus-sasl authdaemond urandom" >> /etc/portage/package.use
echo "net-mail/courier-imap fam" >> /etc/portage/package.use
Then we actually install it.
emerge --ask --verbose postfix courier-imap procmail
courier-imap would actually be brought in as a dependency of postfix with these USE flags, but including it in the commandline will add it to the world file, the list of those packages we specifically wanted as opposed to dependencies.
Edit /etc/mail/aliases to provide an alias for root to your administrator user. In Gentoo there's a commented-out line for you to complete and uncomment.
root: administrator
newaliases
Now we want to configure postfix itself. Note, under Gentoo it does not run in a chroot by default, and making it do so is currently beyond the scope of this HowTo.
We set up Postfix for normal Maildir operation. Note, that this does not set anything up specifically for ISPConfig; the changes we need to make for ISPConfig are given in step 18.
postconf -e "myhostname = $(hostname -f)"
postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain'
postconf -e 'mynetworks = 127.0.0.0/8'
postconf -e 'recipient_delimiter = +'
postconf -e 'mailbox_size_limit = 0'
postconf -e 'inet_interfaces = all'
postconf -e 'inet_protocols = all'
postconf -e 'home_mailbox = Maildir/'
Now we set up sasl.
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
echo 'pwcheck_method: saslauthd' >> /etc/sasl2/smtpd.conf
echo 'mech_list: plain login' >> /etc/sasl2/smtpd.conf
Now we want to make the ssl certificates for postfix.
cd /etc/ssl
vi openssl.cnf
Change the following default values for your domain. Basically these are just the default values that come up when you create a new certificate request, so you can leave this step out and just let yourself be faced with the usual defaults. You'd have to type them in at least twice, so it's probably worth it.
countryName_default stateOrProvinceName_default localityName_default 0.organizationName_default emailAddress_default
And create the certificates.
cd misc
./CA.pl -newreq-nodes
./CA.pl -newca
./CA.pl -sign
cp newcert.pem newkey.pem demoCA/cacert.pem /etc/postfix/
And configure postfix with them.
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/newkey.pem'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/newcert.pem'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
Start postfix and saslauthd and set them to start on boot.
/etc/init.d/saslauthd start
rc-update add saslauthd default
/etc/init.d/postfix start
rc-update add postfix default
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your Postfix mail server type:
ehlo localhost
If you see the lines
250-STARTTLS
and
250-AUTH LOGIN PLAIN
everything is fine.
The output on my system looks like this:
server1 misc # telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 server1.example.com ESMTP Postfix ehlo localhost 250-server1.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
Type
quit
to return to the system's shell.
13 Courier-IMAP/Courier-POP3
The courier-imap software we need was all installed as dependencies in the postfix install. So now we just need to finish setting it up.
cd /etc/courier-imap
vi pop3d.cnf
vi imapd.cnf
Change the C, ST, L, CN and email parameters to match your server. In particular, make sure that the CN field is the hostname mail clients will be using to connect to your mailserver. Then,
mkpop3dcert
mkimapdcert
Now you can start courier-imap's various services and configure them to start on boot.
/etc/init.d/courier-imapd start
/etc/init.d/courier-imapd-ssl start
/etc/init.d/courier-pop3d start
/etc/init.d/courier-pop3d-ssl start
rc-update add courier-imapd default
rc-update add courier-imapd-ssl default
rc-update add courier-pop3d default
rc-update add courier-pop3d-ssl default