Postfix How-To

From Secure Computing Wiki
Revision as of 17:52, 23 November 2010 by Esubiguxoc (Talk | contribs)

Jump to: navigation, search


This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page


CLICK HERE


  • <i>Loosly follows the How-To at www.purplehat.org.</i>

Install MySQL

<ol><li>Install MySQL 5.0 Port: <pre>#cd /usr/ports/databases/mysql50-server

  1. make all install clean</pre>

<li>Add MySQL to system startup in /etc/rc.conf: <pre>#echo ‘mysql_enable=”YES”‘ >> /etc/rc.conf</pre> <li>Start MySQL <pre>#/usr/local/etc/rc.d/mysql-server start</pre> <li>Secure MySQL root account: <pre>#mysql -u root mysql >UPDATE user SET Password=PASSWORD(’mysql_root_password‘) WHERE user=’root’; >FLUSH PRIVILEGES; >quit</pre> <li>Download the SQL file: <pre># fetch http://www.purplehat.org/downloads/postfix_guide/postfix-db.sql</pre> <li>Edit postfix-db.sql passwords on lines 9 and 12. <li>Initialize the database: <pre>mysql -u root -p < postfix-db.sql</pre> </ol>

Install Dovecot

<ol><li>Install Dovecot from ports: <pre># cd /usr/ports/mail/dovecot

  1. make all install clean</pre>

<li>Make sure options SSL, IPv6, POP3, and MySQL are selected. <li>Enable Dovecot at startup in /etc/rc.conf: <pre> #echo ‘dovecot_enable=”YES”‘ >> /etc/rc.conf</pre> <li>Copy example configurations to correct locations: <pre>#cd /usr/local/etc/

  1. cp dovecot-example.conf dovecot.conf
  2. cp dovecot-sql-example.conf dovecot-sql.conf</pre>

<li>Create the certificate directory, and place your ssl-certificates: <pre># mkdir /etc/certs

  1. cp ssl.crt ssl.key /etc/certs</pre>

<li>Edit /usr/local/etc/dovecot.conf: <br>Line 16, uncomment:</pre> <pre>base_dir = /var/run/dovecot/</pre> <br>Line 21, uncomment and add POP3(S) daemons: <pre>protocols = imap imaps pop3 pop3s</pre> <br>Line 40, uncomment: <pre>listen = *</pre> <br>Line 46, uncomment and change to no: <pre>disable_plaintext_auth = no</pre> <br>Line 54, uncomment: <pre>shutdown_clients = yes</pre> <br>Line 86, uncomment: <pre>ssl_disable = no</pre> <br>Lines 92-93, uncomment: <pre>ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem</pre> <br>Lines 172, uncomment and change accordingly: <pre>login_greeting = ISP Server Ready.</pre> <br>Line 213, change for Maildir format: <pre>mail_location = maildir:/usr/local/virtual/%d/%n</pre> <br>Line 321, uncomment and change UID: <pre>first_valid_uid = 125</pre> <br>Line 329, uncomment and change GID: <pre>first_valid_gid = 125</pre> <br>Line 526, uncomment and add for quota support: <pre>mail_plugins = quota imap_quota</pre> <br>Line 656, uncomment and add quota module: <pre>mail_plugins = quota</pre> <br>Line 638, change postmaster address: <pre>postmaster_address = postmaster@domain.tld</pre> <br>Line 748, add other auth types: <pre>mechanisms = plain login (Adjust accordingly)</pre> <br>Line 794, comment this line out: <pre>#passdb pam {</pre> <br>Line 827, comment out closing bracket: <pre>#}</pre> <br>Line 869, uncomment this line: <pre>passdb sql {</pre> <br>Lines 871-872, uncomment and add arg line for SQL file: <pre>args = /usr/local/etc/dovecot-sql.conf }</pre> <br>Lines 898-905, comment these lines out: <pre>#userdb passwd { }</pre> <br>Line 934, uncomment: <pre>userdb sql {</pre> <br>Lines 936-937 uncomment and add arg line for SQL file: <pre>args = /usr/local/etc/dovecot-sql.conf }</pre> <br>Line 984, uncomment: <pre>socket listen {</pre> <br>Line 995, uncomment: <pre>client {</pre> <br>Line 999, uncomment and change path: <pre>path = /var/spool/postfix/private/auth</pre> <br>Line 1001, add GID for Postfix socket: <pre>user = postfix</pre> <br>Line 1002, add UID for Postfix socket: <pre>group = postfix</pre> <br>Lines 1003-1004, uncomment: <pre>} }</pre> <li>Edit /usr/local/etc/dovecot-sql.conf: <br>Line 28, uncomment and add MySQL support: <pre>driver = mysql</pre> <br?Line 57, uncomment and change to match our SQL settings: <pre>connect = host=localhost dbname=postfix user=postfix password=postfix_password</pre> <br>Line 64, uncomment and change to MD5: <pre>default_pass_scheme = MD5</pre> <br>Line 91, uncomment and change query to match our setup: <pre>password_query = SELECT password FROM mailbox WHERE username = ‘%u’</pre> <br>Line 111, uncomment and change query to match our setup: <pre>user_query = SELECT maildir, 125 AS uid, 125 AS gid, CONCAT(’dirsize:storage=’, ROUND( mailbox.quota / 1024 ) ) AS quota FROM mailbox WHERE username = ‘%u’ AND active = ‘1′</pre>

  • Note: Above edits should be on ONE line, don't wrap as you may notice on this web site.

<ol>

Postfix Installation

<ol><li>Install Postfix port: <pre># cd /usr/ports/mail/postfix

  1. make install clean</pre>

<li>When asked for options, select PCRE, DOVECOT, TLS, BDB, MYSQL, and VDA. <li>You will be asked if you want to activate postfix in /etc/mail/mailer.conf - select yes. <pre>Would you like to activate Postfix in /etc/mail/mailer.conf [n]? y</pre> <li>Add the following lines to /etc/rc.conf: <pre>sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO"</pre> <li>Add the following lines to /etc/periodic.conf: <pre>daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO"</pre> <li>Add the following to /usr/local/etc/postfix/main.cf under "soft_bounce=no" section: <pre># SASL CONFIG

broken_sasl_auth_clients = yes smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_recipient_restrictions =

 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_hostname,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unauth_destination,
 reject_unauth_pipelining,
 reject_invalid_hostname,
 reject_rbl_client list.dsbl.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client sbl-xbl.spamhaus.org

smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth

  1. TLS CONFIG

smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /usr/local/etc/postfix/ssl/smtpd.pem smtpd_tls_cert_file = /usr/local/etc/postfix/ssl/smtpd.pem smtpd_tls_CAfile = /usr/local/etc/postfix/ssl/smtpd.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom

  1. MySQL Configuration

virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:125 virtual_mailbox_base = /usr/local/virtual virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 51200000 virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 125 virtual_transport = virtual virtual_uid_maps = static:125

  1. Additional for quota support

virtual_create_maildirsize = yes virtual_mailbox_extended = yes virtual_mailbox_limit_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_limit_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps

 $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
 $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
 $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
 $virtual_mailbox_limit_maps

virtual_mailbox_limit_override = yes virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later. virtual_overquota_bounce = yes</pre>