|
|
Line 19: |
Line 19: |
| | | |
| $CONF['database_type'] = 'mysql'; | | $CONF['database_type'] = 'mysql'; |
− | $CONF['database_host'] = 'localhost'; | + | $CONF['database_host'] = 'localhost_error_limit=10000 |
− | $CONF['database_user'] = 'postfixadmin';
| + | |
− | $CONF['database_password'] = 'SecretPassword!';
| + | |
− | $CONF['database_name'] = 'postfix';
| + | |
− |
| + | |
− | $CONF['domain_path'] = 'YES';
| + | |
− | $CONF['domain_in_mailbox'] = 'NO';
| + | |
− |
| + | |
− | // 'md5crypt' is compatible with vpopmail password databases and Dovecot's CRYPT-MD5 setting.
| + | |
− | // 'md5' generates raw hexadecimal MD5-sums, compatible with Dovecot's PLAIN-MD5 setting.
| + | |
− | // 'cleartext' does not encrypt user passwords at all, compatible with Dovecot's PLAIN setting.
| + | |
− | //
| + | |
− | // For new installs, only use 'cleartext' if you have users who want you to be able to tell
| + | |
− | // them explicitly what their password is - and if you want to support that. Otherwise
| + | |
− | // 'md5crypt' is probably a better idea.
| + | |
− | //
| + | |
− | $CONF['encrypt'] = 'md5crypt';
| + | |
− | | + | |
− | Take a look at the rest of that file if you need to make more tweaks.
| + | |
− | | + | |
− | You can quickly change the default domain to your own:
| + | |
− | | + | |
− | # '''replace "change-this-to-your.domain.tld" "yourdomain.com" -- /usr/local/share/postfixadmin/config.inc.php'''
| + | |
− | | + | |
− | Create the database and user in mysql:
| + | |
− | | + | |
− | # '''mysql -u root -p'''
| + | |
− | mysql> '''create database postfix;'''
| + | |
− | mysql> '''grant all privileges on postfix.* to 'postfixadmin'@'localhost' identified by 'SecretPassword!';'''
| + | |
− | mysql> '''flush privileges;'''
| + | |
− | mysql> '''quit;'''
| + | |
− | | + | |
− | Now restart apache with '''apachectl restart''', then browse to "http://yourdomain.com/postfixadmin/" or "http://yourip/postfixadmin/". At the bottom of the page, you can find a link to run setup.php. Make sure the Setup Checker says 'OK' for everything.
| + | |
− | | + | |
− | Once you've run setup and all looks well, remove the setup.php as it recommends.
| + | |
− | | + | |
− | Then browse to http://yourdomain.com/postfixadmin/admin. You should get prompted. Login with the admin email you registered earlier in the setup page. From here you can add domains, mailboxes, etc. But Postfix won't see these yet. We need to install Postfix, and configure it.
| + | |
− | | + | |
− | == Install Postfix with MySQL support ==
| + | |
− | | + | |
− | Install Postfix from ports in /usr/ports/mail/postfix. ''More stuff may need to be installed for SASL - on Ubuntu, libsasl2-modules-sql and libsasl2-modules are required from the repositories. Again, not sure - haven't done this bit on a BSD box yet.''
| + | |
− | | + | |
− | OK, before we can proceed editing main.cf, we need to know what the Postfix uid and gid are on your system. [[Grep]] '''/etc/passwd''' to find out:
| + | |
− | | + | |
− | # '''grep postfix /etc/passwd'''
| + | |
− | postfix:x:105:114::/var/spool/postfix:/bin/false
| + | |
− | | + | |
− | So the uid is 105 on my server, and the gid is 114. Again, you need to double-check uid and gid for '''your''' server and use them in the step below.
| + | |
− | | + | |
− | Add the following to /usr/local/etc/postfix/main.cf: (the "proxy" bits are to allow MySQL connection pooling)
| + | |
− | | + | |
− | virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
| + | |
− | virtual_gid_maps = static:114 '''<== REPLACE THIS WITH YOUR POSTFIX GID!'''
| + | |
− | virtual_mailbox_base = /home/vmail
| + | |
− | virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
| + | |
− | virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
| + | |
− | virtual_minimum_uid = 105 '''<== REPLACE THIS WITH YOUR POSTFIX UID!'''
| + | |
− | virtual_transport = virtual
| + | |
− | virtual_uid_maps = static:105 '''<== REPLACE THIS WITH YOUR POSTFIX UID!'''
| + | |
− |
| + | |
− | broken_sasl_auth_clients = yes
| + | |
− | smtpd_recipient_restrictions =
| + | |
− | permit_mynetworks,
| + | |
− | permit_sasl_authenticated,
| + | |
− | reject_unauth_destination,
| + | |
− | reject_unauth_pipelining
| + | |
− |
| + | |
− | smtpd_sasl_auth_enable = yes
| + | |
− | smtpd_sasl_local_domain = $myhostname
| + | |
− | smtpd_sasl_security_options = noanonymous
| + | |
− | | + | |
− | '''WORD OF WARNING:''' do not set reject_non_fqdn_sender or reject_non_fqdn_recipient, as many guides will advise you to, if you don't want to have a lot of problems with Outlook clients! The FQDN checks in these settings WILL process whatever's in the HELO/EHLO string - even when you have smtpd_helo_restrictions set to empty.
| + | |
− | | + | |
− | Note: the syntax for the following files is based on the postfix mysql_table(5) manual as per http://www.postfix.org/mysql_table.5.html
| + | |
− | | + | |
− | Create the following files in /usr/local/etc/postfix/:
| + | |
− | | + | |
− | ==='''mysql_virtual_alias_maps.cf'''===
| + | |
− | | + | |
− | user = postfixadmin
| + | |
− | password = SecretPassword!
| + | |
− | hosts = 127.0.0.1
| + | |
− | dbname = postfix
| + | |
− | table = alias
| + | |
− | select_field = goto
| + | |
− | where_field = address
| + | |
− | | + | |
− | The alternative syntax for that file is:
| + | |
− | | + | |
− | user = postfixadmin
| + | |
− | password = SecretPassword!
| + | |
− | hosts = 127.0.0.1
| + | |
− | dbname = postfix
| + | |
− | query = SELECT goto FROM alias WHERE address = '%s'
| + | |
− | | + | |
− | The same can be applied for the rest of these files.
| + | |
− | | + | |
− | ===mysql_virtual_domains_maps.cf===
| + | |
− | | + | |
− | user = postfixadmin
| + | |
− | password = SecretPassword!
| + | |
− | hosts = 127.0.0.1
| + | |
− | dbname = postfix
| + | |
− | table = domain
| + | |
− | select_field = domain
| + | |
− | where_field = domain
| + | |
− | additional_conditions = and backupmx = '0' and active = '1'
| + | |
− | | + | |
− | ===mysql_virtual_mailbox_maps.cf===
| + | |
− | | + | |
− | user = postfixadmin
| + | |
− | password = SecretPassword!
| + | |
− | hosts = 127.0.0.1
| + | |
− | dbname = postfix
| + | |
− | table = mailbox
| + | |
− | select_field = maildir
| + | |
− | where_field = username
| + | |
− | | + | |
− | If you want to be be able to relay mail through your server with SMTP AUTH, you'll need to configure SASL. Since we need to get Dovecot's authentication against our db working anyway for IMAP, the easiest way to do this is just to go ahead and use Dovecot SASL support as well.
| + | |
− | | + | |
− | == Dovecot installation, and SASL configuration for the Postfix SMTP server ==
| + | |
− | | + | |
− | Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side you need to specify the location of the Dovecot authentication daemon socket. We use a pathname relative to the Postfix queue directory, so that it will work whether or not the Postfix SMTP server runs chrooted.
| + | |
− | | + | |
− | In /usr/local/etc/postfix/main.cf, add the following:
| + | |
− | | + | |
− | smtpd_sasl_type = dovecot
| + | |
− | smtpd_sasl_path = private/auth
| + | |
− | | + | |
− | On the Dovecot side you also need to specify the Dovecot authentication daemon socket. In this case we specify an absolute pathname. In the example we assume that the Postfix queue is under /var/spool/postfix/.
| + | |
− | | + | |
− | Install Dovecot with MySQL support:
| + | |
− | | + | |
− | Install from ports, /usr/ports/mail/dovecot.
| + | |
− | | + | |
− | Configure the Dovecot/MySQL setup in '''/usr/local/etc/dovecot/dovecot-mysql.conf''' using these settings:
| + | |
− | | + | |
− | ===/usr/local/etc/dovecot/dovecot-mysql.conf===
| + | |
− | | + | |
− | driver = mysql
| + | |
− | connect = dbname=postfix user=postfixadmin host=localhost password=SecretPassword!
| + | |
− |
| + | |
− | # if passwords are stored in the mysql db in plaintext, use PLAIN:
| + | |
− | # but we used 'md5crypt' in postfixadmin, so the correct setting in
| + | |
− | # Dovecot-ese is MD5-CRYPT.
| + | |
− | #
| + | |
− | # note that this encryption setting is directly compatible with both
| + | |
− | # '''htpasswd -m''' and also with '''vpopmail''' password databases,
| + | |
− | # making migration from Qmail/Vpopmail setups possible.
| + | |
− | #
| + | |
− | default_pass_scheme = MD5-CRYPT
| + | |
− | password_query = SELECT password FROM mailbox WHERE username = '%u'
| + | |
− | user_query = SELECT maildir, 106 AS uid, 106 AS gid FROM mailbox WHERE username = '%u'
| + | |
− | | + | |
− | Then configure Dovecot to use MySQL by setting these options in /usr/local/etc/dovecot/dovecot.conf:
| + | |
− | | + | |
− | ===/usr/local/etc/dovecot/dovecot.conf===
| + | |
− | | + | |
− | protocols = imap imaps pop3 pop3s
| + | |
− | disable_plaintext_auth = no
| + | |
− | log_timestamp = "%Y-%m-%d %H:%M:%S "
| + | |
− | mail_location = maildir:/home/vmail/%d/%n
| + | |
− | mail_access_groups = mail
| + | |
− | first_valid_uid = 106
| + | |
− | first_valid_gid = 106
| + | |
− | protocol imap {
| + | |
− | }
| + | |
− |
| + | |
− | protocol pop3 {
| + | |
− | pop3_uidl_format = %08Xu%08Xv
| + | |
− | }
| + | |
− |
| + | |
− | auth default {
| + | |
− | mechanisms = digest-md5 plain login
| + | |
− | passdb sql {
| + | |
− | args = /usr/local/etc/dovecot/dovecot-mysql.conf
| + | |
− | }
| + | |
− | userdb sql {
| + | |
− | args = /usr/local/etc/dovecot/dovecot-mysql.conf
| + | |
− | }
| + | |
− | user = root
| + | |
− |
| + | |
− | # this part sets up a socket that Postfix can use for SMTP AUTH.
| + | |
− | socket listen {
| + | |
− | client {
| + | |
− | path = /var/spool/postfix/private/auth
| + | |
− | mode = 0660
| + | |
− | user = postfix
| + | |
− | group = postfix
| + | |
− | }
| + | |
− | }
| + | |
− | }
| + | |
− | | + | |
− | '''NOTE:''' be sure you've enabled the LOGIN mechanism above, or Outlook clients WILL NOT authenticate properly! (Outlook doesn't bother reading the list of server capabilities; it just uses LOGIN no matter what.)
| + | |
− | | + | |
− | (More information about the dovecot configuration can be found in http://wiki.dovecot.org/AuthDatabase/SQL and http://wiki.dovecot.org/Variables if you need it.)
| + | |
− | | + | |
− | Now, create the directory structure, including a directory for the first domain. You'll also want to go into PostfixAdmin and create a 'test' account for yourdomain.com so you've got something to test with.
| + | |
− | | + | |
− | # '''mkdir -p /home/vmail/yourdomain.com'''
| + | |
− | # '''chmod -R 770 /home/vmail'''
| + | |
− | # '''chown -R postfix:postfix /home/vmail/'''
| + | |
− | | + | |
− | Finally, restart Dovecot and Postfix:
| + | |
− | | + | |
− | # '''/etc/init.d/postfix restart'''
| + | |
− | # '''/etc/init.d/dovecot restart'''
| + | |
− | | + | |
− | And you're ready to test it all out. You should be able to add new domains, mailboxes and aliases using PostfixAdmin and have it all work properly, including SMTP authentication.
| + | |
− | | + | |
− | == Testing SMTP AUTH by telnet ==
| + | |
− | | + | |
− | You'll need the [[metamail]] package, so that you have the [[mimencode]] utility to base64 encode your login information. Install it from ports, /usr/ports/mail/metamail.
| + | |
− | | + | |
− | Now we need to generate base64-encoded strings to use with the PLAIN and LOGIN methods.
| + | |
− | | + | |
− | # printf 'user@domain.com' | mimencode
| + | |
− | dXNlckBkb21haW4uY29t
| + | |
− | # printf 'password' | mimencode
| + | |
− | cGFzc3dvcmQ=
| + | |
− | | + | |
− | Those two are for the LOGIN method. The next one is for the PLAIN method. If you're impatient to just see if something works, this will gripe you less since it's only a single copy and paste. =)
| + | |
− | | + | |
− | # printf '\0user@domain.com\0password' | mimencode
| + | |
− | AHVzZXJAZG9tYWluLmNvbQBwYXNzd29yZA==
| + | |
− | | + | |
− | OK, let's telnet in:
| + | |
− | | + | |
− | # '''telnet localhost 25'''
| + | |
− | Trying 127.0.0.1...
| + | |
− | Connected to localhost.
| + | |
− | Escape character is '^]'.
| + | |
− | 220 mail.server.local ESMTP Postfix
| + | |
− | | + | |
− | Great, we got a banner. OK, now let's tell it we want to use extended SMTP with the "ehlo" command:
| + | |
− | | + | |
− | '''ehlo test'''
| + | |
− | 250-mail.server.local
| + | |
− | 250-PIPELINING
| + | |
− | 250-SIZE 10240000
| + | |
− | 250-VRFY
| + | |
− | 250-ETRN
| + | |
− | 250-STARTTLS
| + | |
− | 250-AUTH DIGEST-MD5 PLAIN LOGIN
| + | |
− | 250-AUTH=DIGEST-MD5 PLAIN LOGIN
| + | |
− | 250-ENHANCEDSTATUSCODES
| + | |
− | 250-8BITMIME
| + | |
− | 250 DSN
| + | |
− | | + | |
− | Alright. Good. Notice that we support three AUTH methods: DIGEST-MD5, PLAIN, and LOGIN. Let's try PLAIN first, using the string we generated for it above:
| + | |
− | | + | |
− | '''AUTH PLAIN AHVzZXJAZG9tYWluLmNvbQBwYXNzd29yZA=='''
| + | |
− | 235 2.0.0 Authentication successful
| + | |
− | '''quit'''
| + | |
− | 221 2.0.0 Bye
| + | |
− | | + | |
− | Excellent! If we want to try the LOGIN method, telnet back in and '''ehlo''' just as we did before, then:
| + | |
− | | + | |
− | '''AUTH LOGIN'''
| + | |
− | 334 VXNlcm5hbWU6
| + | |
− | '''dXNlckBkb21haW4uY29t'''
| + | |
− | 334 UGFzc3dvcmQ6
| + | |
− | '''cGFzc3dvcmQ='''
| + | |
− | 235 2.0.0 Authentication successful
| + | |
− | '''quit'''
| + | |
− | 221 2.0.0 Bye
| + | |
− | | + | |
− | Again, excellent. (If you were curious, the 334 and 235 SMTP messages are also Base64 encoded, and decode to "Username:" and "Password:" when run through '''mimencode -u'''.)
| + | |
− | | + | |
− | | + | |
− | | + | |
− | == Installing Content Filtering with Postprox ==
| + | |
− | | + | |
− | [[Postprox]] is a minimalist (approximately 700 lines of pure C) SMTP proxy designed for use with Postfix to make content filtering easier. In this case, we're going to use Postprox to scan incoming messages with clamdscan and spamc and add scanning notices to the message headers.
| + | |
− | | + | |
− | First, add the following line to '''/usr/local/etc/postfix/main.cf''':
| + | |
− | | + | |
− | smtpd_proxy_filter=127.0.0.1:10025
| + | |
− | | + | |
− | Now, add the following lines to the bottom of '''/usr/local/etc/postfix/master.cf''':
| + | |
− | | + | |
− | # SMTP Proxy.
| + | |
− | #
| + | |
− | 127.0.0.1:10025 inet n n n - 20 spawn
| + | |
− | user=filter argv=/usr/local/sbin/postprox -v -r -c /usr/local/bin/filter.sh 127.0.0.1:10026
| + | |
− |
| + | |
− | # After-filter SMTP server. Receive mail from the content filter
| + | |
− | # on localhost port 10026.
| + | |
− | #
| + | |
− | 127.0.0.1:10026 inet n - n - - smtpd
| + | |
− | -o smtpd_authorized_xforward_hosts=127.0.0.0/8
| + | |
− | -o smtpd_client_restrictions=
| + | |
− | -o smtpd_helo_restrictions=
| + | |
− | -o smtpd_sender_restrictions=
| + | |
− | -o smtpd_recipient_restrictions=permit_mynetworks,reject
| + | |
− | -o smtpd_data_restrictions=
| + | |
− | -o smtpd_junk_command_limit=100000
| + | |
− | -o smtpd_soft_error_limit=10000
| + | |
| -o smtpd_error_sleep_time=0 | | -o smtpd_error_sleep_time=0 |
| -o smtpd_proxy_filter= | | -o smtpd_proxy_filter= |
Install postfixadmin from the ports tree in /usr/ports/mail/postfixadmin.
Next, you need to configure Postfixadmin to match your setup (database user/pass, default domain, etc). Edit the file /usr/local/share/postfixadmin/config.inc.php and set the following:
Finally, you need to install spamassassin and clamav, and create the filter script that we referenced in the postprox invocation in master.cf. Install from ports, /usr/ports/mail/P5-spamassassin and /usr/ports/security/clamav.
Whew. Now that you've got all that done, issue a postfix reload, break out your handy copy of the EICAR virus and the nearest chunk of spam, and test everything to make sure it works. Be sure to try killing off clamd and/or spamd so that you know exactly what happens when they aren't running, also. (Your server will issue a 451 message to whoever is trying to send mail, asking them to requeue and try again later. Remember, though, THE END USER DOESN'T SEE THESE! so you will probably want to automate in some way to notify you when this happens as well.)