The Perfect Server - Gentoo 2007.0 - Page 5

12 Postfix with SMTP-AUTH and TLS

First we want to set the USE flags appropriately.

echo "mail-mta/postfix sasl" >> /etc/portage/package.use
echo "dev-libs/cyrus-sasl authdaemond urandom" >> /etc/portage/package.use
echo "net-mail/courier-imap fam" >> /etc/portage/package.use

Then we actually install it.

emerge --ask --verbose postfix courier-imap procmail

courier-imap would actually be brought in as a dependency of postfix with these USE flags, but including it in the commandline will add it to the world file, the list of those packages we specifically wanted as opposed to dependencies.

Edit /etc/mail/aliases to provide an alias for root to your administrator user. In Gentoo there's a commented-out line for you to complete and uncomment.

root: administrator

newaliases

Now we want to configure postfix itself. Note, under Gentoo it does not run in a chroot by default, and making it do so is currently beyond the scope of this HowTo.

We set up Postfix for normal Maildir operation. Note, that this does not set anything up specifically for ISPConfig; the changes we need to make for ISPConfig are given in step 18.

postconf -e "myhostname = $(hostname -f)"
postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain'
postconf -e 'mynetworks = 127.0.0.0/8'
postconf -e 'recipient_delimiter = +'
postconf -e 'mailbox_size_limit = 0'
postconf -e 'inet_interfaces = all'
postconf -e 'inet_protocols = all'
postconf -e 'home_mailbox = Maildir/'

Now we set up sasl.

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
echo 'pwcheck_method: saslauthd' >> /etc/sasl2/smtpd.conf
echo 'mech_list: plain login' >> /etc/sasl2/smtpd.conf

Now we want to make the ssl certificates for postfix.

cd /etc/ssl
vi openssl.cnf

Change the following default values for your domain. Basically these are just the default values that come up when you create a new certificate request, so you can leave this step out and just let yourself be faced with the usual defaults. You'd have to type them in at least twice, so it's probably worth it.

countryName_default
stateOrProvinceName_default
localityName_default
0.organizationName_default
emailAddress_default

And create the certificates.

cd misc
./CA.pl -newreq-nodes
./CA.pl -newca
./CA.pl -sign
cp newcert.pem newkey.pem demoCA/cacert.pem /etc/postfix/

And configure postfix with them.

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/newkey.pem'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/newcert.pem'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Start postfix and saslauthd and set them to start on boot.

/etc/init.d/saslauthd start
rc-update add saslauthd default
/etc/init.d/postfix start
rc-update add postfix default

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type:

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine.

The output on my system looks like this:

server1 misc # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

Type

quit

to return to the system's shell.

13 Courier-IMAP/Courier-POP3

The courier-imap software we need was all installed as dependencies in the postfix install. So now we just need to finish setting it up.

cd /etc/courier-imap
vi pop3d.cnf
vi imapd.cnf

Change the C, ST, L, CN and email parameters to match your server. In particular, make sure that the CN field is the hostname mail clients will be using to connect to your mailserver. Then,

mkpop3dcert
mkimapdcert

Now you can start courier-imap's various services and configure them to start on boot.

/etc/init.d/courier-imapd start
/etc/init.d/courier-imapd-ssl start
/etc/init.d/courier-pop3d start
/etc/init.d/courier-pop3d-ssl start
rc-update add courier-imapd default
rc-update add courier-imapd-ssl default
rc-update add courier-pop3d default
rc-update add courier-pop3d-ssl default

Share this page:

4 Comment(s)

Add comment

Comments

From: at: 2007-09-26 22:12:53

The bold text in the command examples wasn't a typographical accident; it looks like most of them got lost in translation, and those that weren't were turned from <strong> to <b>. I've just gone through restoring the bold where it had gone missing (but sticking to the <b> - maybe the CSS is happier with that; it looked OK in preview though).

As explained, hopefully, on page 3, when boldface is used in all the following command examples throughout the howto, that means that those commands can be skipped by the user if they carried out the optional step 4.2 to carry out the software build in one go, rather than building and installing the software as they go along as per the versions of this howto for binary distributions. (I added the option to do it all in advance simply because it is a source distribution, and as such the installation stages can take some time.)

From: Anonymous at: 2009-06-19 12:02:49

Thanks for this.

It was an easy to follow guide that focused on exactly what I wanted to do. With some minor changes it also worked with Gentoo 2008.0 so I was pleasantly surprised. Thanks

From: Anonymous at: 2009-07-07 15:40:15

I thinks this is my first time that i successfully finish gentoo installation!!

From: at: 2008-05-29 23:10:42

Many thanks!

It works!
I'am successfully install ISPconfig on clear Gentoo installation (amd64) using this manual.

But at current moment on Gentoo amd64 architecture not avail to install package "smrsh".
Hi is masket. Masked and for ACCEPT_KEYWORDS="~amd64" too.

I can't install this package.
What is problem may be in the future in this case ?