PostfixInstallDebianLenny » History » Revision 2
Revision 1 (Lutz Suhrbier, 09/13/2010 06:27 PM) → Revision 2/6 (Lutz Suhrbier, 09/13/2010 06:46 PM)
## Postfix Installation (Debian Lenny) This document will describe how to install Postfix as a Etch) Only relayhost, accept only local mail server relay to sent local system mail to real world email recipients like e.g. system administrator(s). For that, mail. apt-get install postfix and libsasl2 packages first. /etc/aliases - aliases für local accounts einrichten und umleiten auf externen user. newaliases um hashmap zu erstellen /etc/postfix/main.cf relayhost parameter auf smtp-mailserver setzen. /etc/postfix/sasl_passwd enthält mail-server user:password relayhost = mail.math.fu-berlin.de smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_always_send_ehlo = yes Dann postmap /etc/postfix/sasl_passwd Für jeden user ein file (touch) in /var/mail erstellen. Für root sollte reichen, wenn alles nach root umgeleiten wird. ~~~ apt-get install postfix libsasl2-modules # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first ~~~ Then, setup postfix # line of that file to be used as local smtp mail relay server. First, consider the following options in _/etc/postfix/main.cf_. name. The remaining options should be left to their Debian default values. ~~~ ### localhost only ### # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h mydomain = e-taxonomy.eu myhostname = idp.$mydomain #myorigin = /etc/mailname myorigin = $myhostname mydestination = $myhostname, localhost.$mydomain, localhost mynetworks = 127.0.0.0/8 inet_interfaces = all ### redirect root mail to system administrator ### mailbox_transport = lmtp:localhost #mailbox_size_limit = 0 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases ### mail relay host and password ### #local_recipient_maps = $alias_maps ldap:/etc/postfix/local_recipient_maps.cf local_recipient_maps = relayhost = mail.arcor.de smtp_sasl_password_maps mail.math.fu-berlin.de recipient_delimiter = hash:/etc/postfix/sasl_passwd + ### configure TLS connection to relay host ### # SASL parameters smtp_tls_security_level #smtpd_sasl_local_domain = encrypt $mydomain #smtp_tls_CApath #smtpd_sasl_auth_enable = /etc/ssl/certs yes smtp_tls_CAfile smtp_sasl_password_maps = /etc/ssl/certs/Thawte_Premium_Server_CA.pem hash:/etc/postfix/sasl_passwd smtp_sasl_auth_enable smtp_always_send_ehlo = yes smtp_sasl_security_options #smtpd_sasl_security_options = noanonymous smtp_sasl_tls_security_options broken_sasl_auth_clients = noanonymous yes # TLS parameters ~~~ The first block limits # See /usr/share/doc/postfix/TLS_README.gz in the accessibility of the mail server to localhost. That way, any incoming internet requests should be rejected. Regarding the _alias_maps_ directives, mail redirection (e.g. postfix-doc package for system user root) can be redirected to a "real world" email recipient. The aliases must be definied # information on enabling SSL in _/etc/aliases_ (.e.g . postmaster->root, root->sysadmin@real.world.org). ~~~ the smtp client. root: sysadmin@real.world.org #smtpd_tls_cert_file=/etc/ssl/certs/idp.e-taxonomy.eu-cert.pem postmaster: root #smtpd_tls_key_file=/etc/ssl/private/idp.e-taxonomy.eu-key.pem ~~~ Also, _/etc/aliases_ must be hashed using the _postalias_ command. ~~~ #smtpd_tls_CApath=/etc/ssl/certs postalias /etc/aliases #smtpd_use_tls=yes ~~~ #smtpd_tls_auth_only = yes #smtpd_tls_loglevel = 2 #smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache #tls_random_source = dev:/dev/urandom #smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache Next, the smtp server to which any outgoing mails were relayed to must be defined. If you can use an internal mail server which does not require to login before sending emails (e.g. ip-address authentication), you can omit the next paragraph. Currently, we are using the free mail hoster _mail.arcor.de_, because it permits to relay emails with any sender domain. In order to submit the user credentials required for login, create _/etc/postfix/sasl_passwd_ and define your mail relay host and login credentials as follows. ~~~ # Anti-Spam mail.arcor.de userid:password smtpd_helo_required = yes ~~~ disable_vrfy_command = yes strict_rfc821_envelopes = yes The file must be hashed using the _postmap_ command. ~~~ smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, postmap /etc/postfix/sasl_passwd # check_client_access hash:/etc/postfix/maps/access_client, ~~~ # check_helo_access hash:/etc/postfix/maps/access_helo, # check_sender_access hash:/etc/postfix/maps/access_sender, # check_recipient_access hash:/etc/postfix/maps/access_recipient, reject_rbl_client bl.spamcop.net, reject_rbl_client dynablock.njabl.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org, reject_rbl_client list.dsbl.org, permit Then, the remaining block configures TLS/SSL negotiations (hopefully supported by your mail provider). The security level should be set to encrypt (passwords are sent!) and the rootCA certificate of the mail relay server (e.g. Thawte Premium for arcor.de). *Note:*:: Using the smtp_tls_CApath directive pointing to the default certificate directory _/etc/ssl/certs_ which will be installed along with the _ssl-cert_ package did not work for me ?! Finally, restart the postfix server as usual. ~~~ # Amavis integration /etc/init.d/postfix restart #content_filter=smtp-amavis:[127.0.0.1]:10024 #receive_override_options=no_address_mappings ~~~ That's all.