Michael Hammer/ server config/ Postfix configuration

Home

About me

Blog

Software

Projects

Science

c++ debian electronics gentoo hardware howto mac privat software

You have to set the /etc/mailname

example.com

I've collected the IMHO most important configuration changes to /etc/postfix/main.conf

SASL authentication

You have 2 [possiblities][postfix_sasl] for SASL. You can use the Cyrus SASL and therefore saslauthd or dovecot SASL.

Cyrus SASL

For the mechanism to use for authentication of smtp session edit /etc/postfix/sasl/smtpd.conf.

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

It is important that you modify to socket directory inside /etc/default/saslauthd

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

The problem hereby is that this means the socket is not readable for the others and you can only use Cyrus SASL for postfix smtpd auth.

# SASL
smtpd_sasl_local_domain = mephisto.derhammer.net
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

Dovecot SASL

So I've decided to use the pam backend of the dovecot SASL for smtpd auth.

# SASL
smtpd_sasl_local_domain = mephisto.derhammer.net
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

Mail Configuration

# TLS parameters
smtp_use_tls=yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls=yes
smtpd_tls_cert_file=/etc/ssl/mephisto.derhammer.net.crt
smtpd_tls_key_file=/etc/ssl/private/mephisto.derhammer.net.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

myhostname = mephisto.example.com
myorigin = /etc/mailname
mydestination = localhost.localdomain, localhost

LDAP interface

We have to configure postfix to use LDAP to look for the virtual mail boxes.

# virtual LDAP
virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-aliases.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-maps.cf
virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf

virtual_minimum_uid = 100
virtual_uid_maps = static:110
virtual_gid_maps = static:110

As already mentioned in the /etc/postfix/main.cf above we have to create the scripts for the LDAP communication. You sould add this schema.

/etc/postfix/ldap-virtual-aliases.cf

server_host = localhost
search_base = ou=people, dc=example, dc=com
query_filter = mail=%s
result_attribute = maildrop

/etc/postfix/ldap-virtual-maps.cf

server_host = localhost
search_base = ou=people, dc=example, dc=com
query_filter = mail=%s
result_attribute = mailbox

/etc/postfix/ldap-virtual-domains.cf

server_host = localhost
search_base = dc=example, dc=com
query_filter = associatedDomain=%s
result_attribute = associatedDomain

To test if we did not produce an open spam relay let's try 

telnet relay-test.mail-abuse.org

which should result in System appeared to reject relay attempts