The Perfect Setup - Ubuntu 6.10 Server (Edgy Eft) - Page 5

12 Postfix With SMTP-AUTH And TLS

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail

You will be asked two questions. Answer as follows:

General type of configuration? <-- Internet Site
Mail name? <-- server1.example.com

Then run

dpkg-reconfigure postfix

Again, you'll be asked some questions:

General type of configuration? <-- Internet Site
Where should mail for root go <-- NONE
Mail name? <-- server1.example.com
Other destinations to accept mail for? (blank for none) <-- server1.example.com, localhost.example.com, localhost
Force synchronous updates on mail queue? <-- No
Local networks? <-- 127.0.0.0/8
Use procmail for local delivery? <-- Yes
Mailbox size limit <-- 0
Local address extension character? <-- +
Internet protocols to use? <-- all

Next, do this:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = server1.example.com'

The file /etc/postfix/main.cf should now look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart Postfix:

/etc/init.d/postfix restart

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the line PARAMS="-m /var/spool/postfix/var/run/saslauthd -r":

vi /etc/default/saslauthd

# This needs to be uncommented before saslauthd will be run automatically
START=yes

PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

We must also edit /etc/init.d/saslauthd and change the location of saslauthd's PID file. Change the value of PIDFILE to /var/spool/postfix/var/run/${NAME}/saslauthd.pid:

vi /etc/init.d/saslauthd

[...]
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"
[...]

Now start saslauthd:

/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

 

13 Courier-IMAP/Courier-POP3

Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

You will be asked two questions:

Create directories for web-based administration ? <-- No
SSL certificate required <-- Ok

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user's Maildir*:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

Share this page:

10 Comment(s)

Add comment

Comments

From: bdk at: 2006-10-27 20:35:19

Just some comments as I'm going throgh this How-To: 

Sudo is in Ubuntu for a reason and it should be used, so instead of enabling root and setting a root password, run sudo w/ a ' -s ' argument:

sudo -s

That'll put you in as root and you won't have to prefix all of your commands with sudo.

In step #5, instead of restarting the box, you can reload the hostname via /etc/init.d/hostname.sh; faster then restarting the box.

-bdk

 

From: at: 2007-02-21 13:31:51

Just a small comment:

There's really no need to enable the root account as explained in section 3.

You might as well use

sudu su -

to switch to the root for doing administrative tasks

 

Just my two cents :-)

/Armageddon 

From: at: 2006-11-09 18:46:01

"In recent distributions of MySQL, you can also run the script mysql_secure_installation instead of just changing the root password. That script allows you to change the root password, delete the test database, remove the anonymous user, remove remote access (allowing access from the local machine only) and reset the privileges table."

Quoting from http://www.entropy.ch/software/MacOSx/mysql/

From: at: 2007-01-13 03:50:43

When I attempted to apt-get install linux-kernel-headers, I got the message that "Package linux-kernel-headers is a virtual package provided by:
  linux-libc-dev 2.6.17.1-10.34
You should explicitly select one to install"

 

I did apt-get install linux-libc-dev and I did fine.

From: at: 2006-11-02 10:32:13

I think an excelent addition to this part of the tutorial, would be to generate the default SSL Cert for Apache, so that it *can* listen on 443.

From: at: 2007-04-09 18:57:18

While xenlab make a reasonable point that SSL instructions would be useful in this How-To, it should be noted that the SSL Certificate is automatically set up during the ISPConfig setup. If you are setting up ISPConfig as suggested by the author, you needn't worry about the SSL Certificate at this stage.

Loye Young
www.IYCC.net
Laredo, Texas 

From: at: 2007-05-18 20:42:28

Just to get this additional information on this page:

 # HOST="my.apache.hostname.example.org"

# openssl genrsa -out $HOST.key

# openssl req -new -key $HOST.key -out $HOST.csr

# openssl x509 -req -days 368 -in $HOST.csr -signkey $HOST.key -out $HOST.cert

 # mv $HOST.key /etc/ssl/private/

# chmod 0400 /etc/ssl/private/$HOST.key

#mv $HOST.cert /etc/ssl/certs/

 

Following goes into the apache SSL vhost configuration:

SSLEngine On
SSLProtocol +all
SSLCiphersuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificatefile /etc/ssl/certs/my.apache.hostname.example.org.cert
SSLCertificatekeyfile /etc/ssl/private/my.apache.hostname.example.org.key

From: at: 2007-01-29 12:31:53

System Changes / Package changes caused proftpd-common proftpd

root@beta:/etc/postfix/ssl# apt-get install proftpd proftpd-common ucf

Reading package lists... Done Building dependency tree Reading state information... Done Package proftpd-common is a virtual package provided by: proftpd 1.3.0-9ubuntu0.1 You should explicitly select one to install. E: Package proftpd-common has no installation candidate

root@beta:/etc/postfix/ssl# apt-get install proftpd ucf Works perfectly so far

From: at: 2007-05-15 13:31:03

You can also edit your /etc/hosts file and add/modify ipv6 lines like this:

::1     ip6-localhost ip6-loopback server1 server1.example.com

bye

Giuseppe

From: at: 2007-09-29 20:17:36

Setting your server name on 127.0.0.1 IS BAD! This address is made for loopback ONLY.
 
In order to make your proftpd start without messing up your system, you can add a single line :
DefaultAddress 192.168.0.1
(with the appropriate address) to your proftpd.conf