HowtoForge

Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 3

Configuration

Postfix Setup

Introduction

We will be setting up postfix with the following features:

The adding of accounts and domains with be configured through virtualmin although it can be done manually as well. The setup is designed to be resource friendly so should be able to run on machines that are not over spec'ed so enabling the resources to be put to better use. To make it resource friendly we are not using external databases to store virtual user information like most other how-to's do as well as using milters for spam and virus checking as opposed to running amavisd-new.

 

The Basics

To begin with we will configure the basics such as the hostname, mail origin, networks, hash maps spool directory. All these configuration options should be added to /etc/postfix/main.cf unless stated. Sample configuration files are available for download at the end of this page.

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mydomain = example.com
myorigin = $mydomain
mynetworks = 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
recipient_canonical_maps = hash:/etc/postfix/canonical
virtual_alias_maps = hash:/etc/postfix/virtual
mail_spool_directory = /var/spool/mail

 

Maildir

We will use the much improved maildir format as opposed to the default mbox format:

home_mailbox = Maildir/

 

SASL

To perform SMTP authentication we will be using SASL, however we will not use the Cyrus SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

 

TLS

We need TLS to ensure that the plain text passwords are not transmitted over the wire during SMTP authentication, servers that support TLS are also able to communicate with this server over a secured connection.

Instructions on creating your server certificate signed by cacert.org are can be found here.

tls_random_source = dev:/dev/urandom
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/postfix/key.pem
smtpd_tls_cert_file = /etc/pki/postfix/server.pem
smtpd_tls_CAfile = /etc/pki/postfix/root.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/postfix/key.pem
smtp_tls_cert_file = /etc/pki/postfix/server.pem
smtp_tls_CAfile = /etc/pki/postfix/root.crt
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache
smtp_tls_note_starttls_offer = yes

 

Spam Prevention

smtpd_helo_required = yes
disable_vrfy_command = yes
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
unknown_local_recipient_reject_code = 550
address_verify_map = btree:/var/spool/postfix/verify
smtpd_sender_restrictions = hash:/etc/postfix/sender_access
#sample /etc/postfix/sender_access contains frequently spoofed domains
aol.com     reject_unverified_sender
hotmail.com reject_unverified_sender
yahoo.com reject_unverified_sender
gmail.com reject_unverified_sender
bigfoot.com reject_unverified_sender
smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_data_restrictions = reject_unauth_pipelining
wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz
tar xzvf postfix-policyd-spf-perl-2.005.tar.gz
cd postfix-policyd-spf-perl-2.005
cp postfix-policyd-spf-perl /etc/postfix/

Add this to /etc/postfix/master.cf:

spfpolicy unix  -       n       n       -       -       spawn user=nobody argv=/usr/bin/perl /etc/postfix/postfix-policyd-spf-perl

Instructions on adding DKIM support can be found here.

Instructions on adding domainkeys support can be found here.

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/access
        reject_unknown_recipient_domain
        reject_unknown_sender_domain
        reject_unverified_recipient
        reject_non_fqdn_recipient
        reject_non_fqdn_sender
        reject_invalid_hostname
        reject_rbl_client list.dsbl.org
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client l1.spews.dnsbl.sorbs.net
        reject_rbl_client combined.njabl.org
        reject_rbl_client bl.spamcop.net
        reject_rhsbl_sender dsn.rfc-ignorant.org
        reject_rhsbl_sender bogusmx.rfc-ignorant.org
        reject_rhsbl_sender rhsbl.sorbs.net
        reject_rhsbl_client dsn.rfc-ignorant.org
        reject_rhsbl_client bogusmx.rfc-ignorant.org
        reject_rhsbl_client rhsbl.sorbs.net
        check_policy_service unix:private/spfpolicy

 

Milters [SpamAssassin & ClamAV]

For your spam classification using spamassassin and virus scanning using clamav we will be using postfix's milter interface instead of using the resource intensive amavisd-new daemon. This is a very efficient way of doing it as we don't even have to run clamd the clamav milter does the scanning itself.

smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
non_smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock

 

Create DB Files

postmap /etc/postfix/canonical
postmap /etc/postfix/access
postmap /etc/postfix/virtual
postmap /etc/postfix/sender_access

 

Sample Configuration Files

Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 3