Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 3


Postfix Setup


We will be setting up postfix with the following features:

  • Virtual hosting
  • UCE prevention
  • Anti virus
  • SMTP authentication
  • TLS
  • RBLs
  • SPF
  • Attack mitigation

The adding of accounts and domains with be configured through virtualmin although it can be done manually as well. The setup is designed to be resource friendly so should be able to run on machines that are not over spec'ed so enabling the resources to be put to better use. To make it resource friendly we are not using external databases to store virtual user information like most other how-to's do as well as using milters for spam and virus checking as opposed to running amavisd-new.


The Basics

To begin with we will configure the basics such as the hostname, mail origin, networks, hash maps spool directory. All these configuration options should be added to /etc/postfix/ unless stated. Sample configuration files are available for download at the end of this page.

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mydomain =
myorigin = $mydomain
mynetworks =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
recipient_canonical_maps = hash:/etc/postfix/canonical
virtual_alias_maps = hash:/etc/postfix/virtual
mail_spool_directory = /var/spool/mail



We will use the much improved maildir format as opposed to the default mbox format:

home_mailbox = Maildir/



To perform SMTP authentication we will be using SASL, however we will not use the Cyrus SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes



We need TLS to ensure that the plain text passwords are not transmitted over the wire during SMTP authentication, servers that support TLS are also able to communicate with this server over a secured connection.

Instructions on creating your server certificate signed by are can be found here.

  • Set TLS random source:
tls_random_source = dev:/dev/urandom
  • Enable server TLS:
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/postfix/key.pem
smtpd_tls_cert_file = /etc/pki/postfix/server.pem
smtpd_tls_CAfile = /etc/pki/postfix/root.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
  • Enable client TLS:
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/postfix/key.pem
smtp_tls_cert_file = /etc/pki/postfix/server.pem
smtp_tls_CAfile = /etc/pki/postfix/root.crt
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache
smtp_tls_note_starttls_offer = yes


Spam Prevention

  • Require a valid EHLO / HELO:
smtpd_helo_required = yes
  • Prevent email address harvesting attacks:
disable_vrfy_command = yes
  • Change reject codes to permanent (by default postfix issues 4xx error codes which implies temporary failure we need 5xx for permanent errors):
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
unknown_local_recipient_reject_code = 550
  • Setup sender address verification:
address_verify_map = btree:/var/spool/postfix/verify
smtpd_sender_restrictions = hash:/etc/postfix/sender_access
  • Create /etc/postfix/sender_access and add:
#sample /etc/postfix/sender_access contains frequently spoofed domains     reject_unverified_sender reject_unverified_sender reject_unverified_sender reject_unverified_sender reject_unverified_sender
  • Mitigate attacks from zombies and broken clients:
smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
  • Only allow pipelining from authenticated clients:
smtpd_data_restrictions = reject_unauth_pipelining
  • Install postfix-policyd-spf-perl and enable SPF support:
tar xzvf postfix-policyd-spf-perl-2.005.tar.gz
cd postfix-policyd-spf-perl-2.005
cp postfix-policyd-spf-perl /etc/postfix/

Add this to /etc/postfix/

spfpolicy unix  -       n       n       -       -       spawn user=nobody argv=/usr/bin/perl /etc/postfix/postfix-policyd-spf-perl
  • Add DKIM support:

Instructions on adding DKIM support can be found here.

  • Add domainkeys support:

Instructions on adding domainkeys support can be found here.

  • Getting it all to work depends on the smtpd_recipient_restrictions option so we set it below:
smtpd_recipient_restrictions =
        check_recipient_access hash:/etc/postfix/access
        check_policy_service unix:private/spfpolicy


Milters [SpamAssassin & ClamAV]

For your spam classification using spamassassin and virus scanning using clamav we will be using postfix's milter interface instead of using the resource intensive amavisd-new daemon. This is a very efficient way of doing it as we don't even have to run clamd the clamav milter does the scanning itself.

smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
non_smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock


Create DB Files

postmap /etc/postfix/canonical
postmap /etc/postfix/access
postmap /etc/postfix/virtual
postmap /etc/postfix/sender_access


Sample Configuration Files

Share this page:

4 Comment(s)