The Perfect Server - Ubuntu Gutsy Gibbon (Ubuntu 7.10) - Page 5

14 Postfix With SMTP-AUTH And TLS

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules libdb3-util procmail

You will be asked two questions. Answer as follows:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

Then run

dpkg-reconfigure postfix

Again, you'll be asked some questions:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
Root and postmaster mail recipient: <-- [blank]
Other destinations to accept mail for (blank for none): <-- server1.example.com, localhost.example.com, localhost.localdomain, localhost
Force synchronous updates on mail queue? <-- No
Local networks: <-- 127.0.0.0/8
Use procmail for local delivery? <-- Yes
Mailbox size limit: <-- 0
Local address extension character: <-- +
Internet protocols to use: <-- all

Next, do this:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):

postconf -e 'myhostname = server1.example.com'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

The file /etc/postfix/main.cf should now look like this:

cat /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart Postfix:

/etc/init.d/postfix restart

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":

vi /etc/default/saslauthd

#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Now start saslauthd:

/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine.

The output on my system looks like this:

root@server1:/etc/postfix/ssl# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix (Ubuntu)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@server1:/etc/postfix/ssl#

Type

quit

to return to the system's shell.

 

15 Courier-IMAP/Courier-POP3

Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

You will be asked two questions:

Create directories for web-based administration ? <-- No
SSL certificate required <-- Ok

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user's Maildir*:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

Share this page:

9 Comment(s)

Add comment

Comments

From: at: 2008-04-23 21:19:56

Should add a note that if the user plans to setup ISPConfig the mysql password should not containg characters that are special to the shell like $, &, etc...

A password like pa$$word would cause ISPConfig to return an error at the very end of the setup:

Please enter your MySQL password: pa$$word
ERROR 1045 (28000): Access denied for user 'root'@locahost' (using password: YES) The provided MySQL password is wrong!

vale

From: at: 2008-01-24 04:17:56

then you have to add those two line at the end of /etc/postfix/main.cf

virtual_maps = hash:/etc/postfix/virtusertable
mydestination = /etc/postfix/local-host-names

and comment out the previus mydestination = ...

to avoid errors like "Relay access denied" and "...loops back to itself" and undelivered mail in incoming mailbox

From: at: 2008-01-31 21:58:47

As discussed in this thread

http://www.howtoforge.com/forums/showthread.php?t=17924&highlight=php5-common

can you remove the php5-json from STEP 16?

 I know I should just make a note to myself, but I figured why not just ask one of the admins to update the guide.

From: at: 2007-11-04 01:18:45

This Howto is very useful, but appears to rely heavily on the assumption that ISPconfig will be installed. In particular SSL is not working out of the box in this configuration. I found In needed to go through the following steps for apache 2.2.4:

Apache2 SSL

Generate the certificate

Since Ubuntu 7.04, certificate creation has been changed:

Create directories

mkdir /usr/share/share/ssl-cert /etc/apache2/ssl

Create a certificate:.

/usr/sbin/make-ssl-cert /usr/share/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Enable the SSL module

sudo a2enmod ssl

Listen to port 443

echo "Listen 443" | sudo tee -a /etc/apache2/ports.conf

Create and enable the SSL site

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
Modify it so it looks something like this
NameVirtualHost *:443
<virtualhost *:443>
        ServerAdmin webmaster@localhost
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/apache.pem

        DocumentRoot /var/www/
        <directory />
                Options FollowSymLinks
                AllowOverride None
        </directory>
        <directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                # Commented out for Ubuntu
                #RedirectMatch ^/$ /apache2-default/
        </directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </directory>
        ErrorLog /var/log/apache2/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </directory>

</virtualhost>
...and enable it

sudo a2ensite ssl
don't forget to modify /etc/apache2/sites-available/default

NameVirtualHost *:80
<virtualhost *:80>
...and enable it
sudo a2ensite ssl
don't forget to modify /etc/apache2/sites-available/default
NameVirtualHost *:80
<virtualhost *:80>

Mod rewrite

It's often desirable to force users to access things like webmail via https. This can be accomplished with mod_rewrite.
First you'll have to enable the module
sudo a2enmod rewrite
Then add the following to /etc/apache2/sites-available/default
RewriteEngine   on
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^/webmail(.*)$ https://%{SERVER_NAME}/webmail$1 [L,R]
RewriteLog      "/var/log/apache2/rewrite.log"
RewriteLogLevel 2
Create directory for pidfile; it may be missing
sudo mkdir -p /var/run/apache2
sudo chown -R www-data /var/run/apache2

Fix ports.conf

You may have to remove a double-up Listen Command for port 443 (SSL)
vi /etc/apche2/ports.conf
should look like this
Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
Don't forget to restart apache
sudo /etc/init.d/apache2 force-reload

From: at: 2008-01-29 15:11:06

Thanks for the addition as I do not want to ISPconfig. SAdly there are no line carriages for the code you posted, therefore I cannot differ when a command or line is ended. Could you please reformat the part beginning from "RewriteEngine" and explicitely say between which lines this has to be inserted? Thank you.

From: at: 2008-02-28 01:53:36

The lines you mean, which are added to the default(port80) site, are;

quote: 

Then add the following to /etc/apache2/sites-available/default

RewriteEngine   on
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^/webmail(.*)$ https://%{SERVER_NAME}/webmail$1 [L,R]
RewriteLog      "/var/log/apache2/rewrite.log"
RewriteLogLevel 2

Good Luck! 

 

From: at: 2008-04-08 04:49:01

Ubuntu has no root password by default for security reasons. By setting one, you are taking a risk. You can use "sudo -i" or "sudo su" without setting a root password to get a root prompt as an administrator.

As well, if you do set the root password and install OpenSSH server, by default, root is permitted to log on, which is a very risky move, especially if the server is accessible from the internet. To disable root logons via ssh, edit /etc/ssh/sshd_config, and change "PermitRootLogins yes" to "PermitRootLogins no". This is normally a non-issue, because root normally does not have a password and therefore cannot log on to the system at all.

From: at: 2008-01-14 19:50:17

I don’t know if this applies to 64 bit systems only.  (I installed ISPConfig successfully on a Xeon 3210 system)
In case of error message: ”Cannot find OpenSSL's <evp.h>" followed by lots of error messages, last error message is "The PHP binary coming with ISPConfig does not work properly on your system!"  you will need to install the ssl-devel package in order to get the missing <evp.h> file.

Use the command:

sudo apt-get install libssl-dev

and reinstall ISPConfig as described in the manual

From: Anonymous at: 2008-09-27 03:01:18

Thanks for giving detailed step by step instructions. I didn't install ISPConfig, but I found the rest of the howto very helpful - informative, detailed and up-to-date.

I actually ran this on a hardy heron installation. apt-get couldn't find php5-ps. When I checked at http://packages.ubuntu.org I found this is available upto gutsy and then also planned for intrepid but not in hardy repos... would this break anything ? (Haven't been facing any thing unexplainable so far)