How to Install Postfix and Dovecot Under OpenSolaris
Installing Postfix and Spamassassin
Postfix is a flexible and easy to configure replacement for sendmail. By following these instructions you can have a complete Postfix installation complete with support for POP, IMAP and vhosts. POP and IMAP will be supplied by Dovecot. This tutorial will be based on Opensolaris 2009.06 with Blastwave.
The first thing to do is to disable sendmail.
# svcadm disable sendmail
Now to install postfix and related packages. Procmail is a powerful mail processing tool that can be configured to do just about anything with a message and the popular spamassassin anti-spam agent.
# pkg install SUNWprocmail
# /opt/csw/bin/pkgutil -i CSWspamassassin
# /opt/csw/bin/pkgutil -i CSWpostfix
Symlinking to common paths is always convenient when troubleshooting.
# ln -s /etc/opt/csw/postfix /etc/postfix
# cp /etc/mail/aliases /etc/postfix
Time to create the users that will own the virtual mailbox storage files. Take note of the UID/GID of these accounts as they're needed in the configuration.
# groupadd virtmail
# useradd -g virtmail -s /bin/false -c "Virtual Mail User" virtmail
# grep virtmail /etc/group /etc/passwd
Configuring Spamassassin
Setting up and integrating spamassassin into postfix requires a few things to be done. First we need to create a user/group for spamd to run under and a user/group for the spamfilters to use.
# groupadd spamd
# useradd -g spamd -s /bin/false -d /home/spamd -c "Spamassassin User" spamd
# grep spamd /etc/group /etc/passwd
# groupadd spamfilt
# useradd -g spamfilt -d /home/spamfilt -s /bin/false -c "Spam filter User" spamfilt
# groupadd spamfilt /etc/group /etc/passwd
Now we need to configure spamassassin. Symlink the spamassassin config directory to an easier to remember location and edit the loval.cf file[;/P:]
# ln -s /opt/csw/etc/spamassassin /etc/spamassassin
An example local.cf
# Rewrite the subject header to start with *****SPAM*****
rewrite_header Subject *****SPAM*****
# trust mail from this network
trusted_networks 192.168.100.
# required score to tag mail as spam
required_score 5.0
# use bayesian filters built into spamassassin
use_bayes 1
# whether or not to feed mail into the bayesian scoring system
bayes_auto_learn 1
# path to store bayesian filter information
bayes_path /home/spamd/
# permissions to store bayesian filters
bayes_file_mode 0666
# whitelist mail from not_a@spammer.com
whitelist_from not_a@spammer.com
# whitelist all mail from nospam.com
whitelist_from *@nospam.com
# blacklist mail from real@spam.com
blacklist_from real@spam.com
Spamassassin needs to be running as a daemon.
# /opt/csw/bin/spamd --daemonize --username spamd --pidfile /home/spamd/spamd.pid
Now create a simple shell script called spamfilt.sh to process the mail through spamassassin and place it in /opt/csw/bin. This is the script that will be called by postfix.
#!/bin/sh
/opt/csw/bin/spamc | /opt/csw/sbin/sendmail -i "$@"
exit $?
Adjust the permissions of the new script
# chown root:spamfilt /opt/csw/bin/spamfilt.sh
# chmod 755 /opt/csw/bin/spamfilt.sh
Configuring Postfix
Configuring postfix is handled through the files in /etc/postfix.
The first thing to do is wrap up the spamassassin configuration by integrating it into postfix. This is done by setting up a transport service in master.cf. The following should be placed at the begining of the file directly below the service type header.
spamfilt unix - n n - 10 pipe
flags=Rq user=filter argv=/usr/local/bin/spamchk -f ${sender}
-- ${recipient}
Also adjust the smtp line by appending '-o content_filter=spamfilt:dummy' to the end.
The meat of the configuration is stored in main.cf
# Location to store the mail queue
queue_directory = /opt/csw/var/spool/postfix
# Location of postfix binaries
command_directory = /opt/csw/sbin
# Location of daemon executables
daemon_directory = /opt/csw/libexec/postfix
# Owner of mail queue files
mail_owner = postfix
# mail server hostname
myhostname = mx1.higherpass.com
# Domain the mailserver resides in. This is
# normally the FQDN minus the local hostname.
mydomain = higherpass.com
# Origin of mail if one isn't present in the headers
myorigin = $mydomain
# local destination for mail
mydestination = localhost
# Code to give rejected mail
unknown_local_recipient_reject_code = 550
# Database for the alias
alias_database = hash:/etc/postfix/aliases
# Path to postfix sendmail binary. Sendmail executable
# is included with most unix mailserver for compatibility.
sendmail_path = /opt/csw/sbin/sendmail
# Location of the newaliases command used to rebuild the
# aliases file
newaliases_path = /opt/csw/bin/newaliases
# Where to find the mailq command
mailq_path = /opt/csw/bin/mailq
# Group for mail submission and queue management
setgid_group = postdrop
#Directories to documentation
html_directory = /opt/csw/share/doc/postfix/html
manpage_directory = /opt/csw/share/man
sample_directory = /opt/csw/share/doc/postfix/samples
readme_directory = /opt/csw/share/doc/postfix/README_FILES
# Location of external file containing vhosts 1 per line.
# Alternatively vhosts could be listed comma separated.
virtual_mailbox_domains = /etc/postfix/vhosts.txt
# Base directory mailboxes are stores.
virtual_mailbox_base = /data/mail/vhosts
# The UID & GID mappings to write mail to the vhost mailboxes
# as. These are the ones we created earlier.
virt_uid_maps = static:101
virt_gid_maps = static:102
# The minimun UID allowed. Setting this to 100 or above prevents
# any accidental writing as system users.
virtual_minimum_uid = 100
# Virtual mailbox mappings file
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
# Virtual aliases mappings
virtual_maps = hash:/etc/postfix/virtual
# Order to search files for delivery
local_recipient_maps = unix:passwd.byname $alias_maps $virtual_mailbox_maps
# Method to deliver mail of not found in the local password file or alias maps
fallback_transport = virtual
# Allow mail relaying for these domains
relay_domains = $transport_maps
# Alias maps file
alias_maps = hash:/etc/postfix/aliases
# Networks to listen on
inet_interfaces = all
# destinations this server is the final home for
mydestination = $myhostname, $mydomain
# Method to generate the mynetworks parameter
mynetworks_style = host
# Path to the mailbox relative to the local users homedir
home_mailbox = Maildir/
# Disable SMTP VRFY that can be used to harvest email addresses
disable_vrfy_command = yes
# SMTP mail destination access restrictions.
smptd_recipient_restrictions = permit_mynetworks,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_unknown_client
# Give special treatment to owner-listname & listname-request
owner_request_special = no
# Setup SMTP authentication through dovecot.
smtpd_sasl_type = dovecot
smtpd_sasl_path = /opt/csw/var/spool/postfix/private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
# Enable and configure TLS security
smtpd_tls_cert_file=/opt/csw/ssl/certs/dovecot.pem
smtpd_tls_key_file=/opt/csw/ssl/private/dovecot.pem
smtpd_use_tls=yes
tls_random_source = /dev/urandom
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
This is a very basic configuration file that should get postfix up and running. Take note of the smtpd_sasl_path and virtual_mailbox_base values, they'll be needed in the Dovecot configuration.
A basic /etc/postfix/aliases file.
MAILER-DAEMON: postmaster
postmaster: root
abuse: postmaster
postfix: root
List of vhosts hosted by Postfix /etc/postfix/vhosts.txt. This is the file from virtual_mailbox_domains in main.cf.
vhost1.dom
vhost2.dom
vhost3.dom
Mailbox list is stored in /etc/postfix/vmailbox. The left column is the email address and the right column is appended to virtual_mailbox_base. If the path ends with a trailing / the files are stored in qmails Maildir format, without the slash they're stored in standard mbox format.
# vhost1.dom
fake@vhost1.dom vhost1.dom/fake/
really.fake@vhost1.dom vhost1.dom/really.fake/
# vhost2.dom
notreal@vhost2.dom vhost2.dom/notreal
imaginary@vhost2.dom vhost2.dom/imaginary
/etc/postfix/virtual stores the virtual aliases file. The left column holds the incoming address and the right the address to deliver to.
# vhost1.dom
postmaster@vhost1.dom fake@vhost1.dom
Now that everything is configured the last thing to do with postfix is build the alias and mailbox databases. These are berkeley database files of the alias, virtual, and vmailbox files stored in /etc/postfix as aliases.db, virtual.db, and vmailbox.db.
# /opt/csw/sbin/postalias hash:/etc/postfix/aliases
# /opt/csw/sbin/postmap hash:/etc/postfix/virtual
# /opt/csw/sbin/postmap hash:/etc/postfix/vmailbox
Installing and Configuring Dovecot
Installing Dovecot
[;P:] Install the package from blastwave.
# /opt/csw/bin/pkgutil -i CSWdovecot
Create a directory to hold the dovecot configuration files and some more symlinks.
# mkdir /opt/csw/etc/dovecot
# ln -s /opt/csw/etc/dovecot/dovecot.conf /opt/csw/etc/dovecot.conf
# ln -s /opt/csw/etc/dovecot /etc/dovecot
Verify the SSL certificate and key are in place.
cert.key /opt/csw/ssl/private/dovecot.pem
cert.crt /opt/csw/ssl/certs/dovecot.pem
Configuring Dovecot
The dovecot configuration is very straightforward. This configuration uses a separate password file for each vhost. The %d in the userdb and passdb blocks translates to the vhost. When using a separate password file per vhost you don't put the @vhost in the login. When opting for a single password file emailaddr@vhost should be the login stored in the password file. Also disable_plaintext_auth is set to no, but that should be enabled on a production system.
Example /etc/dovecot/dovecot.conf:
# What protocols to listen for
protocols = pop3 imap
# Whether to enable/disable plaintext logins over unsecure protocols.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv
# Default maildir directory relative to the home directory.
default_mail_env = maildir:~/
# First UID/GID allowed to be used for a user
first_valid_uid = 101
first_valid_gid = 102
auth default {
mechanisms = plain login
passdb passwd-file {
args = /data/mail/vhosts/%d/passwd
}
userdb passwd-file {
args = /data/mail/vhosts/%d/passwd
}
socket listen {
client {
path = /opt/csw/var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
The password file is similar to a standard unix password file. The encryption method is stored in {} before the password or hash. The UID and GID need to be above the first_valid_uid/first_valid_gid, and if using the postfix virtual mail server should be the UID/GID of the virtmail created when installing postfix. Password hashes can be generated with dovecotpw
/data/mail/vhosts/vhost1.dom/passwd
fake:101:102:{SHA1}PaVBVZkYqAjCQCu6UBL2xgsnZhw=::/data/mail/vhosts/vhosts1.dom/fake/
really.fake:101:102:{PLAIN}qwerty::/data/mail/vhosts/vhosts1.dom/really.fake/[;P;] Finally we need to configure sasl. This is done by creating /etc/sasl/smtpd.conf with the following:
pwcheck_method: auxprop
mech_list: PLAIN LOGIN
A lot of postfix/sasl installations store sasl configuration files in /etc/sasl so create the following symlink.
# ln -s /etc/sasl /etc/postfix/sasl
The very last thing that needs to be done is to restart postfix and dovecot.
# svcadm restart cswdovecot cswpostfix
Hope you enjoyed Installing Postfix and Dovecot
No comments:
Post a Comment