特殊:Badtitle/NS100:Postfix:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Wikibot留言 | 贡献
无编辑摘要
 
(未显示1个用户的8个中间版本)
第2行: 第2行:
{{Languages|UbuntuHelp:Postfix}}
{{Languages|UbuntuHelp:Postfix}}
== Introduction ==
== Introduction ==
Postfix is a <code><nowiki>Mail Transfer Agent</nowiki></code> (MTA) which is the default MTA for Ubuntu. It is in Ubuntu's main repository, which means that it receives security updates. This guide explains how to install and configure postfix and set it up as an SMTP server using a secure connection.
Postfix is the default <code><nowiki>Mail Transfer Agent</nowiki></code> (MTA) for Ubuntu. It is in Ubuntu's main repository, which means that it receives security updates. This guide explains how to install and configure postfix and set it up as an SMTP server using a secure connection.
== Installation ==
== Installation ==
In order to install Postfix with SMTP-AUTH and TLS do the following steps using your favorite package manager install the '''postfix''' package from the Main repository.
In order to install Postfix with SMTP-AUTH and TLS, first install the '''postfix''' package from the Main repository using your favorite package manager. For example:
Simply press return when the installation process asks questions, the configuration will be done in greater detail in the next stage.
<pre><nowiki>
sudo aptitude install postfix
</nowiki></pre>
Simply accept the defaults when the installation process asks questions. The configuration will be done in greater detail in the next stage.
== Configuration ==
== Configuration ==
From a terminal prompt:
From a terminal prompt:
<pre><nowiki>
<pre><nowiki>
dpkg-reconfigure postfix
sudo dpkg-reconfigure postfix
</nowiki></pre>
</nowiki></pre>
Insert the following details when asked (replacing server1.example.com with your domain name if you have one):
Insert the following details when asked (replacing server1.example.com with your domain name if you have one):
* Internet Site
* General type of mail configuration: '''Internet Site'''
* NONE
* NONE ''doesn't appear to be requested in current config''
* server1.example.com
* System mail name: '''server1.example.com'''
* server1.example.com, localhost.example.com, localhost
* Root and postmaster mail recipient: '''<admin_user_name>'''
* No
* Other destinations for mail: '''server1.example.com, example.com, localhost.example.com, localhost'''
* 127.0.0.0/8
* Force synchronous updates on mail queue?: '''No'''
* Yes
* Local networks: '''127.0.0.0/8'''
* 0
* Yes ''doesn't appear to be requested in current config''
* +
* Mialbox size limit (bytes): '''0'''
* all
* Local address extension character: '''+'''
* Internet protocols to use: '''all'''
Now is a good time to decide which mailbox format you want to use.  By default Postifx will use  mbox for the mailbox format.  Rather than editing the configuration file directly, you can use the postconf command to configure all postfix parameters.  The configuration parameters will be stored in /etc/postfix/main.cf file. Later if you wish to re-configure a particular parameter, you can either run the command or change it manually in the file.
Now is a good time to decide which mailbox format you want to use.  By default Postifx will use  mbox for the mailbox format.  Rather than editing the configuration file directly, you can use the postconf command to configure all postfix parameters.  The configuration parameters will be stored in /etc/postfix/main.cf file. Later if you wish to re-configure a particular parameter, you can either run the command or change it manually in the file.
To configure the mailbox format for Maildir:
To configure the mailbox format for Maildir:
<pre><nowiki>          
<pre><nowiki>
 
sudo postconf -e 'home_mailbox = Maildir/'
sudo postconf -e 'home_mailbox = Maildir/'
</nowiki></pre>
You may need to issue this as well:
<pre><nowiki>
sudo postconf -e 'mailbox_command ='
</nowiki></pre>
</nowiki></pre>
'''Note:''' This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.
'''Note:''' This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.
第44行: 第54行:
Generate certificates to be used for TLS encryption and/or certificate Authentication:
Generate certificates to be used for TLS encryption and/or certificate Authentication:
<pre><nowiki>
<pre><nowiki>
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
touch smtpd.key
chmod 600 smtpd.key
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl genrsa 1024 > smtpd.key
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv smtpd.crt /etc/ssl/certs/
第58行: 第66行:
Configure Postfix to do TLS encryption for both incoming and outgoing mail:
Configure Postfix to do TLS encryption for both incoming and outgoing mail:
<pre><nowiki>
<pre><nowiki>
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_use_tls = yes'
sudo postconf -e 'smtpd_use_tls = yes'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
第69行: 第77行:
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo postconf -e 'myhostname = server1.example.com'
sudo postconf -e 'myhostname = server1.example.com' # remember to change this to yours
</nowiki></pre>
</nowiki></pre>
The file /etc/postfix/main.cf should now look like this:
The file /etc/postfix/main.cf should now look like this:
<pre><nowiki>
<pre><nowiki>
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
biff = no
# appending .domain is the MUA's job.
# appending .domain is the MUA's job.
append_dot_mydomain = no
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
#delay_warning_time = 4h
myhostname = server1.example.com
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
mydestination = server1.example.com, example.com, localhost.example.com, localhost
relayhost =
relayhost =
mynetworks = 127.0.0.0/8
mynetworks = 127.0.0.0/8
第95行: 第107行:
smtpd_sasl_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtpd_tls_auth_only = no
smtp_use_tls = yes
#Use these on Postfix 2.2.x only
smtpd_use_tls = yes
#smtp_use_tls = yes
#smtpd_use_tls = yes
#For Postfix 2.3 or above use:
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_received_header = yes
第110行: 第126行:
Restart the postfix daemon like this:
Restart the postfix daemon like this:
<pre><nowiki>
<pre><nowiki>
sudo /etc/init.d/postfix reload
sudo /etc/init.d/postfix restart
</nowiki></pre>
</nowiki></pre>
== Authentication ==
== Authentication ==
The next steps are to configure Postfix to use SASL for SMTP AUTH.
The next steps are to configure Postfix to use SASL for SMTP AUTH.
First you will need to install the '''libsasl2-2''' and  '''sasl2-bin''' from the Main repository.
First you will need to install the '''libsasl2-2''' and  '''sasl2-bin''' from the Main repository [i.e. sudo apt-get install them both].
'''Note:''' if you are using Ubuntu 6.06 (Dapper Drake) the package name is '''libsasl2'''.
'''Note:''' if you are using Ubuntu 6.06 (Dapper Drake) the package name is '''libsasl2'''.
We have to change a few things to make it work properly. Because Postfix runs chrooted in '''''/var/spool/postfix''''' we have change a couple paths to live in the false root.  (ie. '''''/var/run/saslauthd''''' becomes '''''/var/spool/postfix/var/run/saslauthd'''''):
We have to change a few things to make it work properly. Because Postfix runs chrooted in '''''/var/spool/postfix''''' we have change a couple paths to live in the false root.  (ie. '''''/var/run/saslauthd''''' becomes '''''/var/spool/postfix/var/run/saslauthd'''''):
<br>
<<BR>>
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=warning.png
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=warning.png
'''Note:''' by changing the '''saslauthd''' path other applications that use saslauthd may be affected.
'''Note:''' by changing the '''saslauthd''' path other applications that use saslauthd may be affected.
<br>
<<BR>>
First we edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the PWDIR, PARAMS, and PIDFILE lines:
First we edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes, add the PWDIR, PARAMS, and PIDFILE lines and edit the OPTIONS line at the end:
<pre><nowiki>
<pre><nowiki>
# This needs to be uncommented before saslauthd will be run automatically
# This needs to be uncommented before saslauthd will be run automatically
START=yes
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
PIDFILE="${PWDIR}/saslauthd.pid"
# You must specify the authentication mechanisms you wish to use.
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
# MECHANISMS="pam shadow"
MECHANISMS="pam"
MECHANISMS="pam"
# Other options (default: -c)
# Other options (default: -c)
# See the saslauthd man page for information about these options.
# See the saslauthd man page for information about these options.
第139行: 第159行:
# Note: See /usr/share/doc/sasl2-bin/README.Debian
# Note: See /usr/share/doc/sasl2-bin/README.Debian
#OPTIONS="-c"
#OPTIONS="-c"
#make sure you set the options here otherwise it ignores params above and will not work
#make sure you set the options here otherwise it ignores params above and will not work
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
</nowiki></pre>
</nowiki></pre>
'''Note''': If you prefer, you can use "shadow" instead of "pam". This will use MD5 hashed password transfer and is perfectly secure. The username and password needed to authenticate will be those of the users on the system you are using on the server.
'''Note''': If you prefer, you can use "shadow" instead of "pam". This will use MD5 hashed password transfer and is perfectly secure. The username and password needed to authenticate will be those of the users on the system you are using on the server.
Next, we update the dpkg "state" of /var/spool/portfix/var/run/saslauthd.  The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:
Next, we update the dpkg "state" of /var/spool/postfix/var/run/saslauthd.  The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:
<pre><nowiki>
<pre><nowiki>
dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
</nowiki></pre>
</nowiki></pre>
This may report an error that the "/var/spool/postfix/var/run/saslauthd" directory does not exist. You can ignore this because when you start saslauthd next it will be created.
This may report an error that "--update given" and the "/var/spool/postfix/var/run/saslauthd" directory does not exist. You can ignore this because when you start saslauthd next it will be created.
Finally, start saslauthd:
Finally, start saslauthd:
<pre><nowiki>
<pre><nowiki>
/etc/init.d/saslauthd start
sudo /etc/init.d/saslauthd start
</nowiki></pre>
</nowiki></pre>
== Testing ==
== Testing ==
第179行: 第201行:
</nowiki></pre>
</nowiki></pre>
=== Configuring saslauthd to Default ===
=== Configuring saslauthd to Default ===
If you don't want to run Postfix in a chroot, or you'd like to not use chroot for troubleshooting purposes you will probably also want to return '''saslauthd''' back to it's default configuration.  
If you don't want to run Postfix in a chroot, or you'd like to not use chroot for troubleshooting purposes you will probably also want to return '''saslauthd''' back to its default configuration.
The first step in accomplishing this is to edit <code><nowiki>/etc/default/saslauthd</nowiki></code> comment the following lines we added above:
The first step in accomplishing this is to edit <code><nowiki>/etc/default/saslauthd</nowiki></code> comment the following lines we added above:
<pre><nowiki>
<pre><nowiki>
第186行: 第208行:
#PIDFILE="${PWDIR}/saslauthd.pid"
#PIDFILE="${PWDIR}/saslauthd.pid"
</nowiki></pre>
</nowiki></pre>
Then return the saslauthd dpkg "state" to it's default location:
Then return the saslauthd dpkg "state" to its default location:
<pre><nowiki>
<pre><nowiki>
dpkg-statoverride --force --update --add root sasl 755 /var/run/saslauthd
dpkg-statoverride --force --update --add root sasl 755 /var/run/saslauthd
第196行: 第218行:
== Using Port 587 for Secure Submission ==
== Using Port 587 for Secure Submission ==
If you want to use port 587 as the submission port for SMTP mail rather than 25 (many ISPs block port 25), you will need to edit /etc/postfix/master.cf to uncomment the relevant line for port 587 there.
If you want to use port 587 as the submission port for SMTP mail rather than 25 (many ISPs block port 25), you will need to edit /etc/postfix/master.cf to uncomment the relevant line for port 587 there.
Enabling submission port support for Postfix is really easy. To have postfix listen on both 25 and 587, be sure that the line starting with submission is uncommented in /etc/postfix/master.cf:
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
== Other Postfix Guides ==
== Other Postfix Guides ==
These guides will teach your howto setup Postfix mail servers from basic to advanced.
These guides will teach you how to setup Postfix mail servers, from basic to advanced.
=== Postfix Basic Setup ===
=== Postfix Basic Setup ===
[[UbuntuHelp:PostfixBasicSetupHowto|Postfix Basic Setup Howto]] will teach you the concepts of Posfix and how you can get Postfix basics setup up and running. If you are new to Postfix it is recomended to follow this guide first.
[[UbuntuHelp:PostfixBasicSetupHowto|Postfix Basic Setup Howto]] will teach you the concepts of Posfix and how you can get Postfix basics set up and running. If you are new to Postfix it is recomended to follow this guide first.
=== Postfix Virtual Mailbox and Antivirus Filtering ===
=== Postfix Virtual Mailbox and Antivirus Filtering ===
[[UbuntuHelp:PostfixVirtualMailBoxClamSmtpHowto|Postfix Virtual MailBox ClamSmtp Howto]] will teach you howto setup a Virtual mailboxes using non-linux accounts where each user will authenticate using their e-mail address with Dovecot POP3/IMAP server and ClamSMTP Antivirus to filter both incoming and out going mails for known viruses.
[[UbuntuHelp:PostfixVirtualMailBoxClamSmtpHowto|Postfix Virtual MailBox ClamSmtp Howto]] will teach you how to setup virtual mailboxes using non-Linux accounts where each user will authenticate using their email address with Dovecot POP3/IMAP server and ClamSMTP Antivirus to filter both incoming and out going mails for known viruses.
=== Postfix Setup For Sender Policy Framework (SPF) Checking ===
=== Postfix Setup For Sender Policy Framework (SPF) Checking ===
[[UbuntuHelp:Postfix/SPF|Postfix SPF]] will show you how to add SPF checking to reject mail from unauthorized sources to your existing Postfix setup.
[[UbuntuHelp:Postfix/SPF|Postfix SPF]] will show you how to add SPF checking to your existing Postfix setup. This allows your server to reject mail from unauthorized sources.
=== Postfix Setup For DKIM email signing and verification ===
[[UbuntuHelp:Postfix/DKIM|Postfix DKIM]] will guide you through the setup process of dkim-milter for you existing Postfix installation. This will allow your server to sign and verify emails using DKIM.
=== Postfix Setup For DomainKeys email signing and verification ===
[[UbuntuHelp:Postfix/DomainKeys|Postfix DomainKeys]] will guide you through the setup process of dk-filter for you existing Postfix installation. This will allow your server to sign and verify emails using [[UbuntuHelp:Postfix/DomainKeys|Postfix/DomainKeys]].
=== Add Dspam to Postfix ===
[[UbuntuHelp:Postfix/Dspam|Postfix Dspam]] will guide you through the setup process of dspam for you existing Postfix installation. This will enable on your mail server high quality statistical spam filter [http://dspam.nuclearelephant.com/about.php Dspam].
=== Postfix Complete Solution ===
=== Postfix Complete Solution ===
[[UbuntuHelp:PostfixCompleteVirtualMailSystemHowto|Postfix Complete Virtual Mail System Howto]] will help you if you are managing a large number of virtual domains at an ISP level service provider or in a large corporation where you mange few hundred or thousand mail domains. This guide is appropriate if you are looking a complete solution with:
[[UbuntuHelp:PostfixCompleteVirtualMailSystemHowto|Postfix Complete Virtual Mail System Howto]] will help you if you are managing a large number of virtual domains at an ISP level or in a large corporation where you mange few hundred or thousand mail domains. This guide is appropriate if you are looking a complete solution with:
* Web based system administration
* Web based system administration
* Unlimited number of domains
* Unlimited number of domains
第212行: 第247行:
* Mailbox quotas
* Mailbox quotas
* Web access to email accounts
* Web access to email accounts
* Web base interface to change user passwords
* Web based interface to change user passwords
* IMAP and POP3 support
* IMAP and POP3 support
* Auto responders
* Auto responders
* SMTP Authentication for secure relaying
* SMTP Authentication for secure relaying
* SSL for transport layer security
* SSL for transport layer security
* Strong SPAM filtering
* Strong spam filtering
* Anti-Virus filtering
* Anti-virus filtering
* Log Analysis
* Log Analysis
=== Dovecot LDAP ===
The [[UbuntuHelp:Postfix/DovecotLDAP|Postfix/DovecotLDAP]] guide will help you configure Postfix to use Dovecot as MDA with LDAP users.
=== Dovecot SASL ===
=== Dovecot SASL ===
The [[UbuntuHelp:PostfixDovecotSASL|PostfixDovecotSASL]] guide will help you configure Postfix to use Dovecot's SASL implementation.  Using Dovecot SASL may be preferable if you want to run Postfix in a chroot and need to use Cyrus SASL for other services.
The [[UbuntuHelp:PostfixDovecotSASL|PostfixDovecotSASL]] guide will help you configure Postfix to use Dovecot's SASL implementation.  Using Dovecot SASL may be preferable if you want to run Postfix in a chroot and need to use Cyrus SASL for other services.
<br>
'''Note:''' this guide has been tested on Ubuntu 6.06 (Dapper) and Ubuntu 7.10 (Gutsy)
'''Note:''' this guide has been tested on Ubuntu 6.06 (Dapper) and Ubuntu 7.10 (Gutsy)
----
----
[[category:CategoryDocumentation]]  
[[category:CategoryEmail]]


[[category:UbuntuHelp]]
[[category:UbuntuHelp]]

2012年6月5日 (二) 11:41的最新版本

{{#ifexist: :Postfix/zh | | {{#ifexist: Postfix/zh | | {{#ifeq: {{#titleparts:Postfix|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:Postfix|1|-1|}} | zh | | }}

Introduction

Postfix is the default Mail Transfer Agent (MTA) for Ubuntu. It is in Ubuntu's main repository, which means that it receives security updates. This guide explains how to install and configure postfix and set it up as an SMTP server using a secure connection.

Installation

In order to install Postfix with SMTP-AUTH and TLS, first install the postfix package from the Main repository using your favorite package manager. For example:

sudo aptitude install postfix

Simply accept the defaults when the installation process asks questions. The configuration will be done in greater detail in the next stage.

Configuration

From a terminal prompt:

sudo dpkg-reconfigure postfix

Insert the following details when asked (replacing server1.example.com with your domain name if you have one):

  • General type of mail configuration: Internet Site
  • NONE doesn't appear to be requested in current config
  • System mail name: server1.example.com
  • Root and postmaster mail recipient: <admin_user_name>
  • Other destinations for mail: server1.example.com, example.com, localhost.example.com, localhost
  • Force synchronous updates on mail queue?: No
  • Local networks: 127.0.0.0/8
  • Yes doesn't appear to be requested in current config
  • Mialbox size limit (bytes): 0
  • Local address extension character: +
  • Internet protocols to use: all

Now is a good time to decide which mailbox format you want to use. By default Postifx will use mbox for the mailbox format. Rather than editing the configuration file directly, you can use the postconf command to configure all postfix parameters. The configuration parameters will be stored in /etc/postfix/main.cf file. Later if you wish to re-configure a particular parameter, you can either run the command or change it manually in the file. To configure the mailbox format for Maildir:


sudo postconf -e 'home_mailbox = Maildir/'

You may need to issue this as well:


sudo postconf -e 'mailbox_command ='

Note: This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path. Configure Postfix to do SMTP AUTH using SASL (saslauthd):

sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'

Next edit /etc/postfix/sasl/smtpd.conf and add the following lines:

pwcheck_method: saslauthd
mech_list: plain login

Generate certificates to be used for TLS encryption and/or certificate Authentication:

touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

Configure Postfix to do TLS encryption for both incoming and outgoing mail:

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo postconf -e 'myhostname = server1.example.com' # remember to change this to yours

The file /etc/postfix/main.cf should now look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
#Use these on Postfix 2.2.x only
#smtp_use_tls = yes
#smtpd_use_tls = yes
#For Postfix 2.3 or above use:
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart the postfix daemon like this:

sudo /etc/init.d/postfix restart

Authentication

The next steps are to configure Postfix to use SASL for SMTP AUTH. First you will need to install the libsasl2-2 and sasl2-bin from the Main repository [i.e. sudo apt-get install them both]. Note: if you are using Ubuntu 6.06 (Dapper Drake) the package name is libsasl2. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have change a couple paths to live in the false root. (ie. /var/run/saslauthd becomes /var/spool/postfix/var/run/saslauthd): <
> IconsPage?action=AttachFile&do=get&target=warning.png Note: by changing the saslauthd path other applications that use saslauthd may be affected. <
> First we edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes, add the PWDIR, PARAMS, and PIDFILE lines and edit the OPTIONS line at the end:

# This needs to be uncommented before saslauthd will be run automatically
START=yes

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
#OPTIONS="-c"

#make sure you set the options here otherwise it ignores params above and will not work
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Note: If you prefer, you can use "shadow" instead of "pam". This will use MD5 hashed password transfer and is perfectly secure. The username and password needed to authenticate will be those of the users on the system you are using on the server. Next, we update the dpkg "state" of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:

dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

This may report an error that "--update given" and the "/var/spool/postfix/var/run/saslauthd" directory does not exist. You can ignore this because when you start saslauthd next it will be created. Finally, start saslauthd:

sudo /etc/init.d/saslauthd start

Testing

To see if SMTP-AUTH and TLS work properly now run the following command: telnet localhost 25 After you have established the connection to your postfix mail server type ehlo localhost If you see the lines

250-STARTTLS
250-AUTH

among others, everything is working. Type quit to return to the system's shell.

Troubleshooting

Remove Postfix from chroot

If you run into issues while running Postfix you may be asked to remove Postfix from chroot to better diagnose the problem. In order to do that you will need to edit /etc/postfix/master.cf locate the following line:

smtp      inet  n       -       -       -       -       smtpd

and modify it as follows:

smtp      inet  n       -       n       -       -       smtpd

Then restart Postfix:

sudo /etc/init.d/postfix restart

Configuring saslauthd to Default

If you don't want to run Postfix in a chroot, or you'd like to not use chroot for troubleshooting purposes you will probably also want to return saslauthd back to its default configuration. The first step in accomplishing this is to edit /etc/default/saslauthd comment the following lines we added above:

#PWDIR="/var/spool/postfix/var/run/saslauthd"
#PARAMS="-m ${PWDIR}"
#PIDFILE="${PWDIR}/saslauthd.pid"

Then return the saslauthd dpkg "state" to its default location:

dpkg-statoverride --force --update --add root sasl 755 /var/run/saslauthd

And restart saslauthd:

sudo /etc/init.d/saslauthd restart

Using Port 587 for Secure Submission

If you want to use port 587 as the submission port for SMTP mail rather than 25 (many ISPs block port 25), you will need to edit /etc/postfix/master.cf to uncomment the relevant line for port 587 there.

Enabling submission port support for Postfix is really easy. To have postfix listen on both 25 and 587, be sure that the line starting with submission is uncommented in /etc/postfix/master.cf:

smtp inet n - n - - smtpd

submission inet n - n - - smtpd

Other Postfix Guides

These guides will teach you how to setup Postfix mail servers, from basic to advanced.

Postfix Basic Setup

Postfix Basic Setup Howto will teach you the concepts of Posfix and how you can get Postfix basics set up and running. If you are new to Postfix it is recomended to follow this guide first.

Postfix Virtual Mailbox and Antivirus Filtering

Postfix Virtual MailBox ClamSmtp Howto will teach you how to setup virtual mailboxes using non-Linux accounts where each user will authenticate using their email address with Dovecot POP3/IMAP server and ClamSMTP Antivirus to filter both incoming and out going mails for known viruses.

Postfix Setup For Sender Policy Framework (SPF) Checking

Postfix SPF will show you how to add SPF checking to your existing Postfix setup. This allows your server to reject mail from unauthorized sources.

Postfix Setup For DKIM email signing and verification

Postfix DKIM will guide you through the setup process of dkim-milter for you existing Postfix installation. This will allow your server to sign and verify emails using DKIM.

Postfix Setup For DomainKeys email signing and verification

Postfix DomainKeys will guide you through the setup process of dk-filter for you existing Postfix installation. This will allow your server to sign and verify emails using Postfix/DomainKeys.

Add Dspam to Postfix

Postfix Dspam will guide you through the setup process of dspam for you existing Postfix installation. This will enable on your mail server high quality statistical spam filter Dspam.

Postfix Complete Solution

Postfix Complete Virtual Mail System Howto will help you if you are managing a large number of virtual domains at an ISP level or in a large corporation where you mange few hundred or thousand mail domains. This guide is appropriate if you are looking a complete solution with:

  • Web based system administration
  • Unlimited number of domains
  • Virtual mail users without the need for shell accounts
  • Domain specific user names
  • Mailbox quotas
  • Web access to email accounts
  • Web based interface to change user passwords
  • IMAP and POP3 support
  • Auto responders
  • SMTP Authentication for secure relaying
  • SSL for transport layer security
  • Strong spam filtering
  • Anti-virus filtering
  • Log Analysis

Dovecot LDAP

The Postfix/DovecotLDAP guide will help you configure Postfix to use Dovecot as MDA with LDAP users.

Dovecot SASL

The PostfixDovecotSASL guide will help you configure Postfix to use Dovecot's SASL implementation. Using Dovecot SASL may be preferable if you want to run Postfix in a chroot and need to use Cyrus SASL for other services. Note: this guide has been tested on Ubuntu 6.06 (Dapper) and Ubuntu 7.10 (Gutsy)