Installation of Mail server (Postfix) on Debian 6.0 (Squeeze)
Login as root
In order to install Postfix with SMTP-AUTH and TLS, first install the postfix package from the Main repository using package manager: apt-get install postfix
Configure postfix: dpkg-reconfigure postfix Insert the following details when asked:
General type of mail configuration: Internet Site System mail name: your.server.name Root and postmaster mail recipient:
Other destinations for mail: your.server.name, server.name, localhost.localdomain, localhost Force synchronous updates on mail queue?: No
Local networks: 127.0.0.0/8 Use procmail for local delivery? Yes
Yes 'doesn't appear to be requested in current config' Mailbox size limit (bytes): 0 Local address extension character: + Internet protocols to use: all
To configure the mailbox format for Maildir:
postconf -e 'home_mailbox = Maildir/' postconf -e 'mailbox_command =' Note: This will place new mail in /home/username/Maildir.
So you will need to configure your Mail Delivery Agent to use the same path.
Configure Postfix to do SMTP AUTH using SASL (saslauthd): postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes'
Other destinations for mail: your.server.name, server.name, localhost.localdomain, localhost Force synchronous updates on mail queue?: No
Local networks: 127.0.0.0/8 Use procmail for local delivery? Yes
Yes 'doesn't appear to be requested in current config' Mailbox size limit (bytes): 0 Local address extension character: + Internet protocols to use: all
To configure the mailbox format for Maildir:
postconf -e 'home_mailbox = Maildir/' postconf -e 'mailbox_command =' Note: This will place new mail in /home/username/Maildir.
So you will need to configure your Mail Delivery Agent to use the same path.
Configure Postfix to do SMTP AUTH using SASL (saslauthd): postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all'
Next edit /etc/postfix/sasl/smtpd.conf and add the following lines: pwcheck_method: saslauthd mech_list: plain login
Generate certificates to be used for TLS encryption and/or certificate Authentication: touch smtpd.key chmod 600 smtpd.key openssl genrsa 1024 > smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt
#Answer the questions when asked Country Name (2 letter code) [AU]:BD State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:Library Common Name (eg, YOUR name) []: Email Address []:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 #Answer the questions when asked writing new private key to 'cakey.pem' Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Country Name (2 letter code) [AU]:BD State or Province Name (full name) [Some-State]:.
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 #Answer the questions when asked writing new private key to 'cakey.pem' Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Country Name (2 letter code) [AU]:BD State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:Library Common Name (eg, YOUR name) []: Email Address []:
mv smtpd.key /etc/ssl/private/ mv smtpd.crt /etc/ssl/certs/ mv cakey.pem /etc/ssl/private/ mv cacert.pem /etc/ssl/certs/
Configure Postfix to do TLS encryption for both incoming and outgoing mail: postconf -e 'smtp_tls_security_level = may' postconf -e 'smtpd_tls_security_level = may' postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes'
mv smtpd.key /etc/ssl/private/ mv smtpd.crt /etc/ssl/certs/ mv cakey.pem /etc/ssl/private/ mv cacert.pem /etc/ssl/certs/
Configure Postfix to do TLS encryption for both incoming and outgoing mail: postconf -e 'smtp_tls_security_level = may' postconf -e 'smtpd_tls_security_level = may' postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom' postconf -e 'myhostname = your.server.name' # remember to change this to yours
The file /etc/postfix/main.cf should now look like this:
***********************************************************************************
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no
# appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h
readme_directory = no
# TLS parameters smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt smtpd_tls_key_file = /etc/ssl/private/smtpd.key #smtpd_use_tls=yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client.
myhostname = your.server.name alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = your.server.name, localhost.localdomain, localhost, www.gmail.com, www.mail.yahoo.com, mail.bracu.ac.bd, www.hotmail.com relayhost = mynetworks = 127.0.0.0/8, #mailbox_commad = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/
MAILDIR=$HOME/Maildir mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all home_mailbox = Maildir/ smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_recipient_limit = 250 mailbox_command = smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom ***********************************************************************************
Restart the postfix daemon: /etc/init.d/postfix restart
Configure Postfix to use SASL for SMTP AUTH: apt-get install libsasl2-2 sasl2-bin
Now we have to change a few things to make it work properly. Because Postfix runs chrooted
in /var/spool/postfix we have change a couple paths to live in the false root. (ie. /var/run/saslauthd becomes /var/spool/postfix/var/run/saslauthd):
In order to activate saslauthd: gedit /etc/default/saslauthd
Change START=no to START=yes, add the PWDIR, PARAMS, and PIDFILE lines and edit the OPTIONS line at the end: ***********************************************************************************# # Settings for saslauthd daemon # Please read /usr/share/doc/sasl2-bin/README.Debian for details. #
# Should saslauthd run automatically on startup? (default: no) START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd" PARAMS="-m ${PWDIR}" PIDFILE="${PWDIR}/saslauthd.pid"
# Description of this saslauthd instance. Recommended. # (suggestion: SASL Authentication Daemon) DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended. # (suggestion: saslauthd) NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam) # # Available options in this Debian package: # getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5 # pam -- use PAM # rimap -- use a remote IMAP server # shadow -- use the local shadow password file # sasldb -- use the local sasldb database file # ldap -- use LDAP (configuration is in /etc/saslauthd.conf) # # Only one option may be used at a time. See the saslauthd man page # for more information. # # Example: MECHANISMS="pam" MECHANISMS="pam"
# Additional options for this mechanism. (default: none) # See the saslauthd man page for information about mech-specific options. MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5) # A value of 0 will fork a new process for each connection. THREADS=5
# Other options (default: -c -m /var/run/saslauthd) # Note: You MUST specify the -m option or saslauthd won't run! # # WARNING: DO NOT SPECIFY THE -d OPTION. # The -d option will cause saslauthd to run in the foreground instead of as # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish # to run saslauthd in debug mode, please run it by hand to be safe. # # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. # See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options. # # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" ***********************************************************************************
Note: If you prefer, you can use "shadow" instead of "pam". This will use MD5 hashed password transfer and is perfectly secure. The username and password needed to authenticate will be those of the users on the system you are using on the server.
Next, we update the dpkg "state" of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership: dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
This may report an error that "--update given" and the "/var/spool/postfix/var/run/saslauthd" directory does not exist. You can ignore this because when you start saslauthd next it will be created.
Finally, start saslauthd: /etc/init.d/saslauthd start
To see if SMTP-AUTH and TLS work properly now run the following command: telnet localhost 25
After you have established the connection to your postfix mail server type ehlo localhost
No comments:
Post a Comment