The Perfect Server - Gentoo 2007.0 - Page 5

12 Postfix with SMTP-AUTH and TLS

First we want to set the USE flags appropriately.

echo "mail-mta/postfix sasl" >> /etc/portage/package.use 
echo "dev-libs/cyrus-sasl authdaemond urandom" >> /etc/portage/package.use
echo "net-mail/courier-imap fam" >> /etc/portage/package.use

Then we actually install it.

emerge --ask --verbose postfix courier-imap procmail

courier-imap would actually be brought in as a dependency of postfix with these USE flags, but including it in the commandline will add it to the world file, the list of those packages we specifically wanted as opposed to dependencies.

Edit /etc/mail/aliases to provide an alias for root to your administrator user. In Gentoo there's a commented-out line for you to complete and uncomment.

root: administrator
newaliases

Now we want to configure postfix itself. Note, under Gentoo it does not run in a chroot by default, and making it do so is currently beyond the scope of this HowTo.

We set up Postfix for normal Maildir operation. Note, that this does not set anything up specifically for ISPConfig; the changes we need to make for ISPConfig are given in step 18.

postconf -e "myhostname = $(hostname -f)" 
postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain'
postconf -e 'mynetworks = 127.0.0.0/8'
postconf -e 'recipient_delimiter = +'
postconf -e 'mailbox_size_limit = 0'
postconf -e 'inet_interfaces = all'
postconf -e 'inet_protocols = all'
postconf -e 'home_mailbox = Maildir/'

Now we set up sasl.

postconf -e 'smtpd_sasl_local_domain =' 
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
echo 'pwcheck_method: saslauthd' >> /etc/sasl2/smtpd.conf
echo 'mech_list: plain login' >> /etc/sasl2/smtpd.conf

Now we want to make the ssl certificates for postfix.

cd /etc/ssl 
vi openssl.cnf

Change the following default values for your domain. Basically these are just the default values that come up when you create a new certificate request, so you can leave this step out and just let yourself be faced with the usual defaults. You'd have to type them in at least twice, so it's probably worth it.

countryName_default
stateOrProvinceName_default
localityName_default
0.organizationName_default
emailAddress_default

And create the certificates.

cd misc 
./CA.pl -newreq-nodes
./CA.pl -newca
./CA.pl -sign
cp newcert.pem newkey.pem demoCA/cacert.pem /etc/postfix/

And configure postfix with them.

postconf -e 'smtpd_tls_auth_only = no' 
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/newkey.pem'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/newcert.pem'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Start postfix and saslauthd and set them to start on boot.

/etc/init.d/saslauthd start 
rc-update add saslauthd default
/etc/init.d/postfix start
rc-update add postfix default

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type:

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine.

The output on my system looks like this:

server1 misc # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

Type

quit

to return to the system's shell.

13 Courier-IMAP/Courier-POP3

The courier-imap software we need was all installed as dependencies in the postfix install. So now we just need to finish setting it up.

cd /etc/courier-imap 
vi pop3d.cnf
vi imapd.cnf

Change the C, ST, L, CN and email parameters to match your server. In particular, make sure that the CN field is the hostname mail clients will be using to connect to your mailserver. Then,

mkpop3dcert 
mkimapdcert

Now you can start courier-imap's various services and configure them to start on boot.

/etc/init.d/courier-imapd start 
/etc/init.d/courier-imapd-ssl start
/etc/init.d/courier-pop3d start
/etc/init.d/courier-pop3d-ssl start
rc-update add courier-imapd default
rc-update add courier-imapd-ssl default
rc-update add courier-pop3d default
rc-update add courier-pop3d-ssl default
Share this page:

0 Comment(s)