Kirks Postfix How To

Postfix Commands
Installation

Postfix Command Line Utilities
  1. The postfix command stops, starts, and reloads the configuration with the stop, start, and reload options.
    postfix [start stop reload]

    The postalias command creates an indexed alias file map.
    postalias /etc/aliases or newaliases

    The postcat command is used to view the content of a message in the mailq.
    postcat -q mailq_id

    The postmap command makes indexed maps from flat files.
    postmap /etc/postfix/roleaccount_exceptions
Programs For This Setup
  1. Cyrus SASL - Download current version at ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
  2. Open SSL - Download current version at http://www.openssl.org/
  3. Perl Compatible Regular Expressions - Download current version at http://www.pcre.org/
  4. Postfix - Download current version at http://www.postfix.org
  5. Amavisd-new - Download current at http://www.ijs.si/software/amavisd/
  6. ClamAV - Download current at http://www.clamav.net/
  7. Spamassassin - Use cpan to install Mail::Spamassassin
  1. Download SASL2 ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
    tar zxvf filename
    ./configure --with-plugindir=/usr/lib/sasl2 --disable-java --disable-krb4 --with-dblib=berkeley --enable-plain --enable-login
    make
    make install
    ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
    Look at http://www.postfix.org/SASL_README.html for SASL/Postfix compile arg help.

    See if the syslogd daemon is set up to log Cyrus SASL messages.
    Add the following to your syslog.conf, and then restart syslogd
    Your syslog.conf is most likley located at /etc/syslog.conf.
    auth.* /var/log/auth

    To restart syslogd run /etc/rc.d/init.d/syslogd restart
    Create or edit the postfix sasl configuration file. The file is located in /usr/lib/sasl2 by default.
    Debian users must put smtpd.conf in /etc/postfix/sasl to make sasl auth work.
    touch /usr/lib/sasl2/smtpd.conf
    chmod 644 /usr/lib/sasl2/smtpd.conf
    In the smtpd.conf file a parameter and value must be on a single line.
    Every parameter ends with a colon, and a space seperates the parameter from its value.
    The first parameter you should configure is the log_level parameter.

    log_level Description
    0 No Logging
    1 Log unusual errors - This is the default
    2 Log all authentication errors
    3 Log nonfatal warnings
    4 More verbose than 3
    5 More verbose than 4
    6 Log traces of internal protocols
    7 Log traces of internal protocols, including passwords

    While you configure and test SASL, you should set the log level at at least 3.
    # Global Parameters
    log_level: 3
    pwcheck_method: saslauthd
    mech_list: PLAIN LOGIN

    Run saslauthd -v to get a list of authentication backends that your saslauthd supports.
    ANONYMOUS The ANONYMOUS mechanism was designed to allow any client to relay. Do Not Use This.
    CRAM-MD5,DIGEST-MD5 The Cyrus SASL library supports two "shared secret" mechanisms: CRAM-MD5 and its successor, DIGEST-MD5. These methods rely on the client and the server sharing a secret, usually a password. The server creates a challenge based on the the secret, and the client responds, providing that it knows the shared secret. This is much more secure than simpy sending an unencrypted password over a network, but the server still needs to store the secret.
    PLAIN,LOGIN Uses base64-encoded plaintext. Using this without TLS encryption is a security risk.

    Create the state directory for saslauthd to store a socket and PID file.
    Run saslauthd -a shadow -d, and look for the run_path.
    The -d is for debug.
    The run_path is where saslauthd will attempt to create a socket.
    If the directory does not exist, create it and make it accessible only to root.
    I created it like this
    mkdir /var/run/saslauthd
    chown root:postfix /var/run/saslauthd
    chmod 750 /var/run/saslauthd

    You can tell the saslauthd daemon what directory to create the socket file in with the -m option such as
    saslauthd -m /var/run/saslauthd -a shadow

    Edit the smtp.conf again, and add the path of the SASL socket
    # saslauthd parameters
    saslauthd_path: /var/run/saslauthd/mux

    Create the postfix SASL configuration file.
    I just created a link to the smtpd.conf.
    cd /usr/lib/sasl2
    ln -s smtpd.conf sample.conf
    ln -s /usr/local/lib/libsasl2.so.2 /usr/lib/libsasl2.so.2

    Start saslauthd
    saslauthd -m /var/run/saslauthd -a shadow

  2. Download PCRE pcre.org
    ./configure
    make
    make test
    make install

  3. Download OpenSSL openssl.org
    ./config
    make
    make test
    make install

  4. Download Postfix postfix.org
    Create the users postfix will run as.
    I created a postfix user and a postdrop user
    useradd postfix
    useradd postdrop

    Turn off the shell for these users.
    vi /etc/passwd
    Change the postfix and postdrop shell to /bin/false

    Make The Makefiles - I used the following command.
    make tidy - Only if you have made it before
    make makefiles CCARGS="-DUSE_TLS -I/usr/local/ssl/include -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/sasl" AUXLIBS="-L/usr/local -lssl -lcrypto -L/usr/local/lib -lsasl2"
    make
    make install or make upgrade

    Edit /etc/postfix/main.cf

    # The myhostname parameter specifies the internet hostname of this
    # mail system. The default is to use the fully-qualified domain name
    # from gethostname(). $myhostname is used as a default value for many
    # other configuration parameters.
    myhostname = mail.example.com

    # The mydomain parameter specifies the local internet domain name.
    # The default is to use $myhostname minus the first component.
    # $mydomain is used as a default value for many other configuration parameters.
    mydomain = example.com

    # The mydestination parameter specifies the list of domains that this
    # machine considers itself the final destination for.
    mydestination = $mydomain

    # The myorigin parameter specifies the domain that locally-posted
    # mail appears to come from. The default is to append $myhostname,
    # which is fine for small sites.
    myorigin = $mydomain

    Start postfix
    postfix start

    Send a test message
    echo foo | /usr/sbin/sendmail -f root root && tail -f /var/log/maillog


  5. Configure Postfix To Use Cyrus SASL

    Make sure postfix has been compiled with SASL support.
    Run ldd `postconf -h daemon_directory`/smtp
    And look for libsasl2.so.2 => /usr/lib/libsasl2.so.2 in the output

    Enable SASL in postfix
    Add smtpd_sasl_auth_enable = yes to /etc/postfix/main.cf
    Decide what SASL security options posstfix should offer
    smtpd_sasl_security_options = options
    The options are:
    noanoymous make sure to list this one so that your machine is not an open relay
    noplaintext this excludes all plain text authentication
    noactive this excludes SASL mechanisms that are suseptible to active attacks
    nodictionary this excluds all mechanisms that can be broken with brute force
    mutual_auth allows only mechanisms that provide mutual authentication.
    I allow plain text login because I first require an ssl connection.
    Add broken_sasl_auth_clients = yes to the main.cf to allow Microsoft Clients to connect.


  6. TLS Configuration

    http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
    TLS (formerly SSL) stands for Transport Layer Security.
    Once this layer is established, it encrypts the communication between two hosts.
    If we use SMTP AUTH and the mechanisms PLAIN or LOGIN usernames and passwords are sent plaintext over the internet.
    This means that anyone could sniff the communication and read the passwords.
    If you don't want this - we bet you don't - you can use TLS to help.
    Make sure postfix has been compiled with ssl support
    ldd /usr/libexec/postfix/smtpd
    Look for libssl.so.2 in the output

    Create The Certificate And Keys
    cd /usr/local/ssl
    cd misc
    cp CA CA_nodes
    vi CA_nodes

    Add "-nodes" to two of the lines in CA_nodes
    # create a certificate
    $REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS
    # create a certificate request
    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS

    Make yourself a Certificate Authority CA.
    ./CA_nodes -newca

    Make the certificate
    ./CA_nodes -newreq

    Sign The Certificate
    ./CA_nodes -sign

    mkdir /etc/postfix/certs
    cp newreq.pem /etc/postfix/certs/postfix_private_key.pem
    cp newcert.pem /etc/postfix/certs/postfix_public_cert.pem
    cp demoCA/cacert.pem /etc/postfix/certs/

    Add the following to /etc/main.cf

    # START TLS OR SSL SUPPORT FOR CLIENTS
    smtpd_use_tls = yes
    smtpd_tls_auth_only = yes
    smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
    smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
    smtpd_tls_loglevel = 0
    # END TLS OR SSL SUPPORT FOR CLIENTS

    Test out your email with SASL and TLS

  7. SpamAssassin
    cpan
    install Mail::SpamAssassin

  8. ClamAV http://www.clamav.net/
    ./configure
    make
    make install
    useradd clamav
    Make a log file for clamd
    touch /var/log/clamd.log
    vi /usr/local/etc/clamd.conf

    Comment out the Example line at the top and turn on LogTime

    FreshClam comes with ClamAV - It is used to get the new virus definition files
    Make a log file for freshclam
    touch /var/log/freshclam.log
    vi /usr/local/etc/freshclam.conf

    Comment out the Example line at the top
    DatabaseDirectory /usr/local/share/clamav
    UpdateLogFile /var/log/freshclam.log
    DatabaseMirror db.us.clamav.net
    DatabaseMirror database.clamav.net

    Make the FreshClam cron to update the virus definition file automatically
    crontab -e
    50 */3 * * * /usr/local/bin/freshclam --quiet

    Create a cron to cleanup the old spam
    Put the following in /usr/share/custom/virusemail_cleanup.sh
    vi /usr/share/custom/virusemail_cleanup.sh

    #!/bin/sh
    # delete virus/spam emails older than 7 days
    find /var/virusmails -mtime +6 -exec rm -f {} \;

    crontab -e
    0 2 * * * /usr/share/custom/virusemail_cleanup.sh

  9. Amavisd-New
    useradd amavis
    mkdir /var/amavis
    mkdir /var/amavis/tmp /var/amavis/var /var/amavis/db /var/amavis/home
    chown -R amavis:amavis /var/amavis
    chmod -R 750 /var/amavis
    cp amavisd /usr/local/sbin
    chown root /usr/local/sbin/amavisd
    chmod 755 /usr/local/sbin/amavisd
    cp amavisd.conf /etc/
    chown root /etc/amavisd.conf
    chmod 644 /etc/amavisd.conf
    mkdir /var/virusmails
    chown amavis:amavis /var/virusmails
    chmod 750 /var/virusmails
    vi /etc/amavisd.conf

    $max_servers = 2;
    $daemon_user = 'amavis';
    $daemon_group = 'amavis';
    $mydomain = 'example.com';
    $MYHOME = '/var/amavis';
    $TEMPBASE = "$MYHOME/tmp";
    $ENV{TMPDIR} = $TEMPBASE;
    $QUARANTINEDIR = '/var/virusmails';

    Attempt to start amavis-new in debug mode
    amavisd debug
    Use cpan to get the perl modules you need

    Required Perl Modules
    Archive::Tar (Archive-Tar-x.xx)
    Archive::Zip (Archive-Zip-x.xx) (1.14 or later should be used!)
    Compress::Zlib (Compress-Zlib-x.xx) (1.35 or later)
    Convert::TNEF (Convert-TNEF-x.xx)
    Convert::UUlib (Convert-UUlib-x.xxx) (1.05 or later, stick to new versions!)
    MIME::Base64 (MIME-Base64-x.xx)
    MIME::Parser (MIME-Tools-x.xxxx) (latest version from CPAN - currently 5.417)
    Mail::Internet (MailTools-1.58 or later have workarounds for Perl 5.8.0 bugs)
    Net::Server (Net-Server-x.xx) (version 0.88 finally does setuid right, DO NOT USE VERSION .91 ! )
    Net::SMTP (libnet-x.xx, ports/net/p5-Net) (>= libnet-1.16 for performance)
    Digest::MD5 (Digest-MD5-x.xx) (2.22 or later)
    IO::Stringy (IO-stringy-x.xxx)
    Time::HiRes (Time-HiRes-x.xx) (use 1.49 or later, older can cause problems)
    Unix::Syslog (Unix-Syslog-x.xxx)
    BerkeleyDB with bdb library 3.2 or later (4.2 or later preferred)

    Optional Perl modules:
    Mail::SpamAssassin for doing spam scanning (2.64 or 3.0.4 or >=3.1)
    DBI with appropriate DBD::* if using SQL lookups
    Net::LDAP if using LDAP lookups
    Authen::SASL authenticating on mail forwarding and on submitting DSN
    Mail::ClamAV Perl module interface to ClamAV library
    SAVI Perl module interface to Sophos library (0.30 or later)

    After you get all the perl modules start amavisd-new
    amavisd

  10. Configure Postfix to use amavised-new
    vi /etc/postfix/master.cf
    Make it look like this

    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       n       -       -       smtpd
    127.0.0.1:10025 inet    n   -   n       -       -       smtpd
    	-o content_filter=
    	-o local_recipient_maps=
    	-o relay_recipient_maps=
    	-o smtpd_restriction_classes=
    	-o smtpd_client_restrictions=
    	-o smtpd_helo_restrictions=
    	-o smtpd_sender_restrictions=
    	-o smtpd_recipient_restrictions=permit_mynetworks,reject
    	-o mynetworks=127.0.0.0/8
    	-o strict_rfc821_envelopes=yes
    #submission inet n      -       n       -       -       smtpd
    #   -o smtpd_etrn_restrictions=reject
    #   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #smtps    inet  n       -       n       -       -       smtpd
    #  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    #submission   inet    n       -       n       -       -       smtpd
    #  -o smtpd_etrn_restrictions=reject
    #  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
    #628      inet  n       -       n       -       -       qmqpd
    amavisd-new unix    -   -       n       -       2       smtp
    	-o smtp_data_done_timeout=1200s
    	-o disable_dns_lookups=yes
    


    Edit main.cf to use amavisd-new
    vi /etc/postfix/main.cf
    Add the following

    # amavisd-new is the program that communicates with external spam programs like spamassassian
    # comment out this line to turn off filtering mail with spamassassian
    content_filter = amavisd-new:[127.0.0.1]:10024

  11. Make postfix start at boot time, and turn off sendmail at boot time
    chkconfig --list sendmail
    chkconfig --del sendmail
    vi /etc/rc.d/rc.local
    /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
    /usr/local/sbin/amavisd
    /usr/local/bin/freshclam --quiet

  12. Watch The Error Log And Test Test Test - Thanks For Playing