Postfix, virtual domain setup

From FreeBSDwiki

Revision as of 05:29, 21 September 2010 by 96.53.44.210 (Talk)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

WARNING: this article may be a little rough in places; I've done this on Ubuntu but haven't yet done this particular config on FreeBSD. It should be mostly corrected for FreeBSD already, but I'll fix any remaining rough patches if and when I do this on a FreeBSD box the first time. --Jimbo 23:42, 6 October 2009 (EDT)

Dovecot installation, and SASL configuration for the Postfix SMTP server

Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side you need to specify the location of the Dovecot authentication daemon socket. We use a pathname relative to the Postfix queue directory, so that it will work whether or not the Postfix SMTP server runs chrooted.

In /usr/local/etc/postfix/main.cf, add the following:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

On the Dovecot side you also need to specify the Dovecot authentication daemon socket. In this case we specify an absolute pathname. In the example we assume that the Postfix queue is under /var/spool/postfix/.

Install Dovecot with MySQL support:

Install from ports, /usr/ports/mail/dovecot.

Configure the Dovecot/MySQL setup in /usr/local/etc/dovecot/dovecot-mysql.conf using these settings:

/usr/local/etc/dovecot/dovecot-mysql.conf

driver = mysql
connect = dbname=postfix user=postfixadmin host=localhost password=SecretPassword!

# if passwords are stored in the mysql db in plaintext, use PLAIN: 
# but we used 'md5crypt' in postfixadmin, so the correct setting in 
# Dovecot-ese is MD5-CRYPT.
#
# note that this encryption setting is directly compatible with both 
# htpasswd -m and also with vpopmail password databases, 
# making migration from Qmail/Vpopmail setups possible.
#
default_pass_scheme = MD5-CRYPT
password_query = SELECT password FROM mailbox WHERE username = '%u'
user_query = SELECT maildir, 106 AS uid, 106 AS gid FROM mailbox WHERE username  = '%u'

Then configure Dovecot to use MySQL by setting these options in /usr/local/etc/dovecot/dovecot.conf:

/usr/local/etc/dovecot/dovecot.conf

protocols = imap imaps pop3 pop3s
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/vmail/%d/%n
mail_access_groups = mail
first_valid_uid = 106
first_valid_gid = 106
protocol imap {
}
  
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
}

auth default {
  mechanisms = digest-md5 plain login
  passdb sql {
    args = /usr/local/etc/dovecot/dovecot-mysql.conf
  }
  userdb sql {
    args = /usr/local/etc/dovecot/dovecot-mysql.conf
  }
  user = root

  # this part sets up a socket that Postfix can use for SMTP AUTH.
  socket listen {
      client {
         path = /var/spool/postfix/private/auth
         mode = 0660
         user = postfix
         group = postfix
      }
  }
}

NOTE: be sure you've enabled the LOGIN mechanism above, or Outlook clients WILL NOT authenticate properly! (Outlook doesn't bother reading the list of server capabilities; it just uses LOGIN no matter what.)

(More information about the dovecot configuration can be found in http://wiki.dovecot.org/AuthDatabase/SQL and http://wiki.dovecot.org/Variables if you need it.)

Now, create the directory structure, including a directory for the first domain. You'll also want to go into PostfixAdmin and create a 'test' account for yourdomain.com so you've got something to test with.

# mkdir -p /home/vmail/yourdomain.com
# chmod -R 770 /home/vmail
# chown -R postfix:postfix /home/vmail/

Finally, restart Dovecot and Postfix:

# /etc/init.d/postfix restart
# /etc/init.d/dovecot restart

And you're ready to test it all out. You should be able to add new domains, mailboxes and aliases using PostfixAdmin and have it all work properly, including SMTP authentication.

Testing SMTP AUTH by telnet

You'll need the metamail package, so that you have the mimencode utility to base64 encode your login information. Install it from ports, /usr/ports/mail/metamail.

Now we need to generate base64-encoded strings to use with the PLAIN and LOGIN methods.

# printf 'user@domain.com' | mimencode
dXNlckBkb21haW4uY29t
# printf 'password' | mimencode
cGFzc3dvcmQ=

Those two are for the LOGIN method. The next one is for the PLAIN method. If you're impatient to just see if something works, this will gripe you less since it's only a single copy and paste. =)

# printf '\0user@domain.com\0password' | mimencode
AHVzZXJAZG9tYWluLmNvbQBwYXNzd29yZA==

OK, let's telnet in:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.server.local ESMTP Postfix

Great, we got a banner. OK, now let's tell it we want to use extended SMTP with the "ehlo" command:

ehlo test
250-mail.server.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 PLAIN LOGIN
250-AUTH=DIGEST-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Alright. Good. Notice that we support three AUTH methods: DIGEST-MD5, PLAIN, and LOGIN. Let's try PLAIN first, using the string we generated for it above:

AUTH PLAIN AHVzZXJAZG9tYWluLmNvbQBwYXNzd29yZA==
235 2.0.0 Authentication successful
quit
221 2.0.0 Bye

Excellent! If we want to try the LOGIN method, telnet back in and ehlo just as we did before, then:

AUTH LOGIN
334 VXNlcm5hbWU6
dXNlckBkb21haW4uY29t
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 2.0.0 Authentication successful
quit
221 2.0.0 Bye

Again, excellent. (If you were curious, the 334 and 235 SMTP messages are also Base64 encoded, and decode to "Username:" and "Password:" when run through mimencode -u.)

Installing Content Filtering with Postprox

Postprox is a minimalist (approximately 700 lines of pure C) SMTP proxy designed for use with Postfix to make content filtering easier. In this case, we're going to use Postprox to scan incoming messages with clamdscan and spamc and add scanning notices to the message headers.

First, add the following line to /usr/local/etc/postfix/main.cf:

smtpd_proxy_filter=127.0.0.1:10025

Now, add the following lines to the bottom of /usr/local/etc/postfix/master.cf:

# SMTP Proxy.
#
127.0.0.1:10025 inet n n n - 20 spawn
  user=filter argv=/usr/local/sbin/postprox -v -r -c /usr/local/bin/filter.sh 127.0.0.1:10026

# After-filter SMTP server. Receive mail from the content filter
# on localhost port 10026.
#
127.0.0.1:10026 inet n  -       n       -        -      smtpd
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o smtpd_junk_command_limit=100000
    -o smtpd_soft_error_limit=10000
    -o smtpd_error_sleep_time=0
    -o smtpd_proxy_filter=
    -o mynetworks=127.0.0.0/8
    -o receive_override_options=no_unknown_recipient_checks

Now add a neutered user to run the script with:

# pw useradd filter -s /sbin/nologin

Now install postprox. Download the source from http://www.ivarch.com/programs/postprox.shtml, untar it, cd into it and do a basic ./configure && make && make install. Everything should go swimmingly. Doublecheck that postprox was installed into /usr/local/sbin - if it went somewhere else, either move it there or edit the references to it in Postfix's master.cf, your choice.

Finally, you need to install spamassassin and clamav, and create the filter script that we referenced in the postprox invocation in master.cf. Install from ports, /usr/ports/mail/P5-spamassassin and /usr/ports/security/clamav.

To get spamd, freshclam, and clamd running, you'll need to edit /etc/rc.conf and set spamd_enable=YES, clamav_freshclam_enable=YES, and clamav_clamd_enable=YES. Once you've done that, make sure everything is running:

# /usr/local/etc/rc.d/sa-spamd start
# /usr/local/etc/rc.d/clamav-freshclam start
# /usr/local/etc/rc.d/clamav-clamd start

And finally, create your /usr/local/bin/filter.sh script to tie it all together. One is provided at Postfix, relay MX - grab a copy from that article, place it in /usr/local/bin/filter.sh, and proceed.

Remember you need to make your filter.sh executable by your filter user:

# chown filter /usr/local/bin/filter.sh && chmod 550 /usr/local/bin/filter.sh

Whew. Now that you've got all that done, issue a postfix reload, break out your handy copy of the EICAR virus and the nearest chunk of spam, and test everything to make sure it works. Be sure to try killing off clamd and/or spamd so that you know exactly what happens when they aren't running, also. (Your server will issue a 451 message to whoever is trying to send mail, asking them to requeue and try again later. Remember, though, THE END USER DOESN'T SEE THESE! so you will probably want to automate in some way to notify you when this happens as well.)

Postfix, virtual domain setup

Contents

Dovecot installation, and SASL configuration for the Postfix SMTP server

/usr/local/etc/dovecot/dovecot-mysql.conf

/usr/local/etc/dovecot/dovecot.conf

Testing SMTP AUTH by telnet

Installing Content Filtering with Postprox

Views

Personal tools

Navigation

Search

Toolbox