Postfix
Postfix is Wietse Venema's sendmail alternative that attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users.
Postfix:pmm is our shell script to review Postfix maillog.
Postfix:main.cf contains additional ideas for your main.cf
Spf is how to create SPF records
FreeBSD and TLS/SASL
Ignore the version numbers, the port names are what is important.
# pkg_info | egrep '(postfix|sasl)' cyrus-sasl-2.1.21_1 RFC 2222 SASL (Simple Authentication and Security Layer) cyrus-sasl-saslauthd-2.1.21 SASL authentication server for cyrus-sasl2 postfix-2.2.6,1 A secure alternative to widely-used Sendmail
postfix:main.cf:
smtpd_use_tls = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes
Anything extra in the directory below I put into the deactivated directory I created.
# ls /usr/local/lib/sasl2/ deactivated libdigestmd5.so.2 libplain.so.2 libcrammd5.a liblogin.a libsasldb.a libcrammd5.so liblogin.so libsasldb.so libcrammd5.so.2 liblogin.so.2 libsasldb.so.2 libdigestmd5.a libplain.a smtpd.conf libdigestmd5.so libplain.so
rc.conf:
saslauthd_enable="YES"
In my case, I used the .pem file I had for imapd. You may have to generate on using mkimapdcert if you don't have $file.pem on your server. And finally, start everything up.
# /usr/local/etc/rc.d/saslauthd.sh start # postfix reload
Now
# tail -f /var/log/maillog
and try to use TLS & SMTP AUTH with your email client, watching the logs.
OpenBSD and TLS/SASL
I just configured this on my BSD and it seems to work. A tcpdump showed that this works encrypted over the wire. I had to relax the strictness with TLS because my provider's authorized certificate doesn't match with the hostname or something.
Building from ports was like this
# cd /usr/ports/mail/postfix # cd snapshot # env FLAVOR=sasl2 make install
that should build this. My configuration looks like this somewhat...:
# generic mailer stuff smtp_generic_maps = hash:/etc/postfix/generic # sasl stuff broken_sasl_auth_clients = no lmtp_sasl_auth_enable = no lmtp_sasl_security_options = noplaintext, noanonymous lmtp_sasl_tls_security_options = $lmtp_sasl_security_options lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options lmtp_sasl_type = cyrus smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noplaintext, noanonymous smtp_sasl_tls_security_options = $smtp_sasl_security_options smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options smtp_sasl_type = cyrus smtpd_sasl_auth_enable = no smtpd_sasl_authenticated_header = no smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = cyrus smtp_enforce_tls = yes smtp_sasl_tls_security_options = $smtp_sasl_security_options smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options smtp_starttls_timeout = 300s smtp_tls_dkey_file = $smtp_tls_dcert_file smtp_tls_enforce_peername = yes smtp_tls_key_file = $smtp_tls_cert_file smtp_tls_loglevel = 2 smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_protocols = SSLv3, TLSv1 smtp_tls_note_starttls_offer = no smtp_tls_scert_verifydepth = 5 smtp_tls_secure_cert_match = nexthop, dot-nexthop smtp_tls_security_level = encrypt smtp_tls_session_cache_timeout = 3600s smtp_tls_verify_cert_match = hostname smtp_use_tls = yes
submission
If you want to follow the RFC, or if your ISP blocks port 25, you might want to have port 587 available for SMTP. This is trivial in postfix. Remove the # in master.cf:
submission inet n - n - - smtpd
and restart postfix
# postfix reload
and now you should have both ports 25 and 587 listening.
