notes.splitbrain.org

User Tools

Site Tools

Trace: postfix
postfix

Table of Contents

Postfix

#> apt-get install postfix postfix-tls postfix-pcre libsasl2 libsasl2-modules sasl2-bin

SASL authd

Make saslauthd work with changerooted postfix:

Edit /etc/default/saslauthd: 

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

PWDIR=/var/spool/postfix/var/run/saslauthd
PARAMS="-m /var/spool/postfix/var/run/saslauthd"

Use dpkg-statoverride to make sure the startscript works as expected: 

#> dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

Add the postfix user to the group sasl 

#> usermod -g postfix -G sasl postfix

Create a /etc/postfix/sasl/smtpd.conf file with the following options: 

pwcheck_method: saslauthd
mech_list: plain login

Start the sasldaemon and restart postfix 

#> /etc/init.d/saslauthd start
#> /etc/init.d/postfix restart

TLS

Create a private key and a certificate as described here. 

#> mkdir /etc/postfix/ssl
#> cp cp postfixCert.pem postfixKey.pem /etc/postfix/ssl/
#> chmod 400 /etc/postfix/ssl/postfixKey.pem
#> cp /etc/ssl/CA/cacert.pem /etc/postfix/ssl/

Add the following to the /etc/postfix/main.cf: 

# Enable TLS support
smtpd_tls_key_file  = /etc/postfix/ssl/postfixKey.pem
smtpd_tls_cert_file = /etc/postfix/ssl/postfixCert.pem
smtpd_tls_CAfile    = /etc/postfix/ssl/cacert.pem
smtpd_use_tls       = yes

Comment in the following three lines in /etc/postfix/master.cf 

tlsmgr    fifo  -       -       n       300     1       tlsmgr
smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
587       inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

Spam prevention

Follow the tutorial at http://www.freesoftwaremagazine.com/free_issues/issue_02/focus_spam_postfix/

The SPF script which comes with the postfix-doc package is broken 1) so we get a current one from the source directly.

Go to the following URL :

http://new.openspf.org/source/software/postfix-policyd-spf-perl/tags/1.08/postfix-policyd-spf-perl?rev=13&view=log

and download the most recent version of this file (click on “(download)”) and save to /etc/postfix/spf-policy.pl

To make it work install the needed Perl lib and make the script executable. 

#> apt-get install libmail-spf-query-perl
#> chmod 755 /etc/postfix/spf-policy.pl

Then add the following to /etc/postfix/master.cf 

spfpolicy unix  -       n       n       -       -       spawn user=nobody argv=/usr/bin/perl /etc/postfix/spf-policy.pl

Add the following entry 

check_policy_service unix:private/spfpolicy

to /etc/postfix/main.cf into the smtpd_recipient_restrictions section. Preferable as one of the last restrictions.

e.g. 

smtpd_recipient_restrictions =
        reject_unauth_destination
        reject_unknown_recipient_domain
        reject_unverified_recipient
        check_policy_service unix:private/spfpolicy
1)
It produces the following error: syslog: invalid level/facility: warn at ./spf-policy.pl line 154
postfix.txt · Last modified: 2008/04/19 17:43 by 85.178.128.191