Postfix

From Hackepedia
Revision as of 23:10, 5 June 2019 by Franks (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Postfix is Wietse Venema's sendmail alternative that attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users.

Postfix:pmm is our shell script to review Postfix maillog.

Postfix:main.cf contains additional ideas for your main.cf

Spf is how to create SPF records

FreeBSD and TLS/SASL

Ignore the version numbers, the port names are what is important.

# pkg_info | egrep '(postfix|sasl)'
cyrus-sasl-2.1.21_1 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.21 SASL authentication server for cyrus-sasl2
postfix-2.2.6,1     A secure alternative to widely-used Sendmail

postfix:main.cf:

smtpd_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

Anything extra in the directory below I put into the deactivated directory I created.

# ls /usr/local/lib/sasl2/
deactivated             libdigestmd5.so.2       libplain.so.2
libcrammd5.a            liblogin.a              libsasldb.a
libcrammd5.so           liblogin.so             libsasldb.so
libcrammd5.so.2         liblogin.so.2           libsasldb.so.2
libdigestmd5.a          libplain.a              smtpd.conf
libdigestmd5.so         libplain.so

rc.conf:

saslauthd_enable="YES"

In my case, I used the .pem file I had for imapd. You may have to generate on using mkimapdcert if you don't have $file.pem on your server. And finally, start everything up.

#  /usr/local/etc/rc.d/saslauthd.sh start
# postfix reload

Now

# tail -f /var/log/maillog

and try to use TLS & SMTP AUTH with your email client, watching the logs.

OpenBSD and TLS/SASL

I just configured this on my BSD and it seems to work. A tcpdump showed that this works encrypted over the wire. I had to relax the strictness with TLS because my provider's authorized certificate doesn't match with the hostname or something.

Building from ports was like this

# cd /usr/ports/mail/postfix
# cd snapshot
# env FLAVOR=sasl2 make install

that should build this. My configuration looks like this somewhat...:

# generic mailer stuff
smtp_generic_maps = hash:/etc/postfix/generic
# sasl stuff
broken_sasl_auth_clients = no
lmtp_sasl_auth_enable = no
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps =  hash:/etc/postfix/sasl_passwd 
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtpd_sasl_auth_enable = no
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options =  $smtpd_sasl_security_options
smtpd_sasl_type = cyrus
smtp_enforce_tls = yes
smtp_sasl_tls_security_options =  $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_starttls_timeout = 300s
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 2
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_scert_verifydepth = 5
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = encrypt
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = yes


submission

If you want to follow the RFC, or if your ISP blocks port 25, you might want to have port 587 available for SMTP. This is trivial in postfix. Remove the # in master.cf:

submission inet n       -       n       -       -       smtpd

and restart postfix

# postfix reload

and now you should have both ports 25 and 587 listening.