notes.splitbrain.org

User Tools

Site Tools

Trace:
postfix

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
postfix [2007/05/21 12:13] – old revision restored andipostfix [2008/04/19 17:43] (current) 85.178.128.191
Line 1: Line 1:
 +====== Postfix ======
  
 +  #> apt-get install postfix postfix-tls postfix-pcre libsasl2 libsasl2-modules sasl2-bin
 +
 +===== SASL authd =====
 +
 +Make saslauthd work with changerooted postfix:
 +
 +Edit ''/etc/default/saslauthd'':
 +
 +<file>
 +# This needs to be uncommented before saslauthd will be run automatically
 +START=yes
 +
 +# You must specify the authentication mechanisms you wish to use.
 +# This defaults to "pam" for PAM support, but may also include
 +# "shadow" or "sasldb", like this:
 +# MECHANISMS="pam shadow"
 +
 +MECHANISMS="pam"
 +
 +PWDIR=/var/spool/postfix/var/run/saslauthd
 +PARAMS="-m /var/spool/postfix/var/run/saslauthd"
 +</file>
 +
 +Use ''dpkg-statoverride'' to make sure the startscript works as expected:
 +
 +  #> dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
 +
 +Add the postfix user to the group sasl
 +
 +  #> usermod -g postfix -G sasl postfix
 +
 +Create a ''/etc/postfix/sasl/smtpd.conf'' file with the following options:
 +
 +<file>
 +pwcheck_method: saslauthd
 +mech_list: plain login
 +</file>
 +
 +
 +Start the sasldaemon and restart postfix
 +
 +  #> /etc/init.d/saslauthd start
 +  #> /etc/init.d/postfix restart
 +
 +===== TLS =====
 +
 +Create a private key and a certificate as described [[sslca|here]].
 +
 +  #> mkdir /etc/postfix/ssl
 +  #> cp cp postfixCert.pem postfixKey.pem /etc/postfix/ssl/
 +  #> chmod 400 /etc/postfix/ssl/postfixKey.pem
 +  #> cp /etc/ssl/CA/cacert.pem /etc/postfix/ssl/
 +
 +Add the following to the ''/etc/postfix/main.cf'':
 +
 +<file>
 +# Enable TLS support
 +smtpd_tls_key_file  = /etc/postfix/ssl/postfixKey.pem
 +smtpd_tls_cert_file = /etc/postfix/ssl/postfixCert.pem
 +smtpd_tls_CAfile    = /etc/postfix/ssl/cacert.pem
 +smtpd_use_tls       = yes
 +</file>
 +
 +Comment in the following three lines in ''/etc/postfix/master.cf''
 +
 +<file>
 +tlsmgr    fifo  -                   300           tlsmgr
 +smtps     inet  n                               smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
 +587       inet  n                               smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
 +</file>
 +
 +===== Spam prevention =====
 +
 +Follow the tutorial at http://www.freesoftwaremagazine.com/free_issues/issue_02/focus_spam_postfix/
 +
 +The SPF script which comes with the postfix-doc package is broken ((It produces the following error: ''syslog: invalid level/facility: warn at ./spf-policy.pl line 154'')) so we get a current one from the source directly.
 +
 +Go to the following URL : 
 +
 +http://new.openspf.org/source/software/postfix-policyd-spf-perl/tags/1.08/postfix-policyd-spf-perl?rev=13&view=log
 +
 +and download the most recent version of this file (click on "(download)") and save to /etc/postfix/spf-policy.pl
 +
 +To make it work install the needed Perl lib and make the script executable.
 +
 +  #> apt-get install libmail-spf-query-perl
 +  #> chmod 755 /etc/postfix/spf-policy.pl
 +
 +Then add the following to ''/etc/postfix/master.cf''
 +
 +<file>
 +spfpolicy unix  -                               spawn user=nobody argv=/usr/bin/perl /etc/postfix/spf-policy.pl</file>
 +
 +Add the following entry
 +
 +<file>
 +check_policy_service unix:private/spfpolicy
 +</file>
 +
 +to ''/etc/postfix/main.cf'' into the smtpd_recipient_restrictions section. Preferable as one of the last restrictions.
 +
 +e.g.
 +
 +<file>
 +smtpd_recipient_restrictions =
 +        reject_unauth_destination
 +        reject_unknown_recipient_domain
 +        reject_unverified_recipient
 +        check_policy_service unix:private/spfpolicy
 +</file>