Virtual Users With Postfix, PostfixAdmin, Courier, Mailscanner, ClamAV On CentOS - Page 3
On this page
SASL (for SMTP-AUTH)
Next we are going to configure our Postfix so that I will use the authdaemon.
vi /usr/lib64/sasl2/smtpd.conf
# smtpd.conf pwcheck_method: authdaemond log_level: 3 mech_list: PLAIN LOGIN authdaemond_path:/usr/var/spool/authdaemon/socket
NOTICE: /usr/lib64/sasl2/smtpd.conf For i386 architecture please use this: /usr/lib/sasl2/smtpd.conf
chown root.vmail /usr/lib64/sasl2/smtpd.conf
chmod 640 /usr/lib64/sasl2/smtpd.conf
Secure the smtpd config file. Courier's autdaemond socket and pid directory must be readable by Postfix:
chmod 755 /usr/var/spool/authdaemon/
Postfix > master.cf
The master.cf file contains all the directives concerning the daemons and network settings.
vi /etc/postfix/master.cf
========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
We want to make it possible to let user access the SMTP over SSL (smtps), so all we have to do is remove the comment in front of the smtps line like so.
========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
We also want our postfix to listen on an extra port, because some ISP block the usage of the default smtp port (25). This is done to prevent spam. So add an extra rule right below the first rule of smtp with the port we want to use, in our case port 567. Also make sure your firewall has enabled this port.
========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd 567 inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
Make also sure the path to the maildrop binary is correct, so at the bottom of the file change
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
into
flags=DRu user=vmail argv=/usr/bin/maildrop -d ${recipient}
Postfix > main.cf
The main.cf file contains all the directives concerning the postfix settings.
vi /etc/postfix/main.cf
# make the following changes : myhostname = mail.yourdomain.com mydomain = yourdomain.com inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost local_recipient_maps = proxy:unix:passwd.byname $alias_maps mynetworks = $config_directory/mynetworks ##relayhost = [smarthost.isp.be] #if you have a smarthost server relay_domains = mysql:/etc/postfix/mysql_relay_domains_maps.cf alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases # Next, add all these to the bottom of the file : # # Virtual Mail Mysql settings # virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_uid_maps = static:1001 virtual_gid_maps = static:1001 virtual_mailbox_base = /opt/mail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 51200000 virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 1001 # Who handles the mail delivery? # POSTFIX = virtual # MAILDROP = maildrop # #virtual_transport = virtual virtual_transport = maildrop maildrop_destination_recipient_limit = 1 # Transport map transport_maps = hash:/etc/postfix/transport vacation_destination_recipient_limit = 1 # Additional for quota support virtual_create_maildirsize = yes virtual_mailbox_extended = yes virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf virtual_mailbox_limit_override = yes virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later. ################################################################################### ### ENABLE SASL SUPPORT ( SMTP-AUTH ) # smtpd_sasl_auth_enable = yes # Enable SASL support in postfix # smtpd_sasl_security_options = noanonymous # Anonymous logins will not be permitted # broken_sasl_auth_clients = yes # Allow RFC-broken mail clients like Outlook Express4 to use SMTP AUTH # smtpd_sasl_path = smptd # Tells SASL to get the config from /usr/lib64/sasl2/smptd.conf # smtpd_sasl_local_domain = # If the user fails to nominate a domain, don't auto append one # smtpd_sasl_authenticated_header = yes # Include the authenticated username in the message headers. # Having this on will make it easier if a spammer cracks one of your user's weak passwords, # and starts using SMTP-AUTH to relay spam through your server smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_path = smptd smtpd_sasl_local_domain = smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client opm.blitzed.org,reject_rbl_client list.dsbl.org,reject_rbl_client bl.spamcop.net,reject_rbl_client sbl-xbl.spamhaus.org ################################################################################### ### ENABLE TLS SUPPORT ( "STARTTLS" ... enables SSL to be negotiated during a SMTP connection ) # smtp_use_tls = no # dont enable TLS for outbound SMTP connections # smtpd_use_tls = yes # announce TLS availability for incoming SMTP connections # smtpd_tls_auth_only = no : # TLS is optional, not enforced # smtpd_tls_key_file : # specify the private key ( must not be encrypted - ie no password) # smtpd_tls_cert_file : # specify the certificate # smtpd_tls_session_cache_database : # nominate a server-side TLS session cache. Improves performance. # smtpd_tls_loglevel = 1 : # log basic TLS handshake and cert info # smtpd_tls_received_header = yes # record some protocol/cipher etc info in the Received header smtp_use_tls = no smtp_use_tls = no smtpd_use_tls = yes smtpd_tls_auth_only = no smtpd_tls_key_file = /usr/local/ssl/mail.yourdomain.com.key smtpd_tls_cert_file = /usr/local/ssl/mail.yourdomain.com.crt smtpd_tls_session_cache_database = btree:/etc/postfix/tls_smtpd_scache smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes
Next we have to create all mysql-virtual files, like referenced in the main.cf.
Note "hosts = localhost" means Postfix will use sockets, "hosts = 127.0.0.1" means Postfix will use TCP. I would advise to use, sockets are faster than TCP.
My socket is located /usr/local/mysql/data/mysql.sock but your mysql socket can be different.
So in my personal host file I would use
hosts = unix:/usr/local/mysql/data/mysql.sock
but you can use just hosts = localhost.
vi /etc/postfix/mysql_virtual_alias_maps.cf
user = postfix password = postfix hosts = localhost dbname = postfix query = SELECT goto FROM alias WHERE address='%s' AND active = 1
vi /etc/postfix/mysql_virtual_domains_maps.cf
user = postfix password = postfix hosts = localhost dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' #optional query to use when relaying for backup MX #query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '0' and active = '1'
vi /etc/postfix/mysql_virtual_mailbox_maps.cf
user = postfix password = postfix hosts = localhost dbname = postfix query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1
vi /etc/postfix/ mysql_virtual_mailbox_limit_maps.cf
user = postfix password = postfix hosts = localhost dbname = postfix query = SELECT quota FROM mailbox WHERE username='%s'
vi /etc/postfix/ mysql_relay_domains_maps.cf
user = postfix password = postfix hosts = localhost dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1'
These files contain our database username/password, so tighten the security a bit:
chown root.postfix /etc/postfix/mysql_*.cf
chmod 640 /etc/postfix/mysql_*.cf
Now we need to populate the mynetworks file. This file lists the IPs that are able to "relay" mail through your server. We put localhost into this file, so that scripts running on this server can relay mail to the internet. For all other users who have mailboxes on your server, when sending mail they can either use SMTP-AUTH, or alternatively they could set their email client's SMTP server settings to point to their ISP's mail server.
echo '# Localhost' > /etc/postfix/mynetworks
echo '127.0.0.0/8' >>/etc/postfix/mynetworks
echo '' >>/etc/postfix/mynetworks
If you have workstations on a LAN, or other users on the internet with fixed-ip addresses, you can add them here as well, and these users will then be permitted to relay mail.
echo '# MyCompany blocks' >>/etc/postfix/mynetworks
echo 'xxx.xxx.xxx.xxx/24' >>/etc/postfix/mynetworks
echo 'yyy.yyy.yyy.yyy/24' >>/etc/postfix/mynetworks
Tweak the aliases file. These mappings are used for system related mails eg crontab messages, postfix bounces etc.
vi /etc/aliases
root: [email protected]
