This shows you the differences between two versions of the page.
|
build:postfix [2010/03/03 15:11] 99.100.133.164 old revision restored |
build:postfix [2010/03/10 19:50] (current) 208.94.184.247 Use sudo as appropriate. |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| ===== Installation ===== | ===== Installation ===== | ||
| The default MTA in Debian is EXIM. In the default install the log rotation is already configured in /etc/cron.daily for EXIM, so remove the script | The default MTA in Debian is EXIM. In the default install the log rotation is already configured in /etc/cron.daily for EXIM, so remove the script | ||
| - | <code rootshell> | + | <code bash> |
| - | rm /etc/cron.daily/exim4-base | + | sudo rm /etc/cron.daily/exim4-base |
| </code> | </code> | ||
| Line 12: | Line 12: | ||
| Install the package: | Install the package: | ||
| - | <code rootshell> | + | <code bash> |
| - | apt-get install postfix | + | sudo apt-get install postfix |
| </code> | </code> | ||
| Line 25: | Line 25: | ||
| The postconf utility won't create a config file if it doesn't exist, so create it manually: | The postconf utility won't create a config file if it doesn't exist, so create it manually: | ||
| - | <code rootshell> | + | <code bash> |
| - | touch /etc/postfix/main.cf | + | sudo touch /etc/postfix/main.cf |
| </code> | </code> | ||
| Line 33: | Line 33: | ||
| Set the host and domain names: | Set the host and domain names: | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e "myhostname=`hostname -f`" | + | sudo postconf -e "myhostname=`hostname -f`" |
| - | postconf -e "mydomain=`hostname -d`" | + | sudo postconf -e "mydomain=`hostname -d`" |
| </code> | </code> | ||
| Line 41: | Line 41: | ||
| For secondary (not the main mail server) systems, don't list all those domains shown above. Only list "localhost" and specific domains this system will accept mail for. This might include "$myhostname,", but never "$mydomain,". For example, use this instead: | For secondary (not the main mail server) systems, don't list all those domains shown above. Only list "localhost" and specific domains this system will accept mail for. This might include "$myhostname,", but never "$mydomain,". For example, use this instead: | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'mydestination=localhost.$mydomain, localhost' | + | sudo postconf -e 'mydestination=localhost.$mydomain, localhost' |
| </code> | </code> | ||
| Set the domain name to add for any addresses that are not specified: | Set the domain name to add for any addresses that are not specified: | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'myorigin=$mydomain' | + | sudo postconf -e 'myorigin=$mydomain' |
| </code> | </code> | ||
| Denote which systems can send outbound email (without having to authenticate). We also include a separate file to list any additional IPs that are allowed to relay through us. See the **Relay** section below. | Denote which systems can send outbound email (without having to authenticate). We also include a separate file to list any additional IPs that are allowed to relay through us. See the **Relay** section below. | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'mynetworks=127.0.0.0/8, hash:/etc/postfix/mynetworks' | + | sudo postconf -e 'mynetworks=127.0.0.0/8, hash:/etc/postfix/mynetworks' |
| </code> | </code> | ||
| Assuming ''/etc/postfix/mynetworks'' doesn't already exist, create it, | Assuming ''/etc/postfix/mynetworks'' doesn't already exist, create it, | ||
| add any desired adddresses to it, and generate the binary hash file from it: | add any desired adddresses to it, and generate the binary hash file from it: | ||
| - | <code rootshell> | + | <code bash> |
| - | cat >> /etc/postfix/mynetworks << 'EOD' | + | sudo sh -c "cat >> /etc/postfix/mynetworks << 'EOD'" |
| # These IPs are allowed to relay through our SMTP servers. | # These IPs are allowed to relay through our SMTP servers. | ||
| # This list was originally taken from Dark. | # This list was originally taken from Dark. | ||
| Line 64: | Line 64: | ||
| # NOTE: The 2nd field is not used, but you'll get warnings from postmap if you leave it out. | # NOTE: The 2nd field is not used, but you'll get warnings from postmap if you leave it out. | ||
| EOD | EOD | ||
| - | vi /etc/postfix/mynetworks | + | sudo vi /etc/postfix/mynetworks |
| - | postmap /etc/postfix/mynetworks | + | sudo postmap /etc/postfix/mynetworks |
| </code> | </code> | ||
| Set what the SMTP server should say when a client connects: | Set what the SMTP server should say when a client connects: | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'smtpd_banner=$myhostname ESMTP $mail_name' | + | sudo postconf -e 'smtpd_banner=$myhostname ESMTP $mail_name' |
| </code> | </code> | ||
| Set the mail aliases file. (Note that the aliases file is special in 3 ways: it exists outside the ''/etc/postfix'' directory for historical reasons; it uses a colon (':') to separate the left side from the right; and you use the ''newaliases'' command after updating it, instead of the ''postmap'' command.) | Set the mail aliases file. (Note that the aliases file is special in 3 ways: it exists outside the ''/etc/postfix'' directory for historical reasons; it uses a colon (':') to separate the left side from the right; and you use the ''newaliases'' command after updating it, instead of the ''postmap'' command.) | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'alias_maps=hash:/etc/aliases' | + | sudo postconf -e 'alias_maps=hash:/etc/aliases' |
| - | postconf -e 'alias_database=hash:/etc/aliases' | + | sudo postconf -e 'alias_database=hash:/etc/aliases' |
| </code> | </code> | ||
| Set maximum sizes for messages (50 MB) and mailboxes (1 GB): | Set maximum sizes for messages (50 MB) and mailboxes (1 GB): | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'message_size_limit=50000000' | + | sudo postconf -e 'message_size_limit=50000000' |
| - | postconf -e 'mailbox_size_limit=1000000000' | + | sudo postconf -e 'mailbox_size_limit=1000000000' |
| </code> | </code> | ||
| By default, Postfix will keep trying to send an email for 5 days, before it gives up and tells you that it had a problem. That seems rather long, so we reduce it to 1 day: | By default, Postfix will keep trying to send an email for 5 days, before it gives up and tells you that it had a problem. That seems rather long, so we reduce it to 1 day: | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'maximal_queue_lifetime=1d' | + | sudo postconf -e 'maximal_queue_lifetime=1d' |
| - | postconf -e 'bounce_queue_lifetime=1d' | + | sudo postconf -e 'bounce_queue_lifetime=1d' |
| </code> | </code> | ||
| Allow email addressed to 'username+foo', so the user can have multiple virtual sub-addresses: | Allow email addressed to 'username+foo', so the user can have multiple virtual sub-addresses: | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'recipient_delimiter=+' | + | sudo postconf -e 'recipient_delimiter=+' |
| </code> | </code> | ||
| Have the SMTP server listen only on the localhost interface: | Have the SMTP server listen only on the localhost interface: | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'inet_interfaces=127.0.0.1' | + | sudo postconf -e 'inet_interfaces=127.0.0.1' |
| </code> | </code> | ||
| The [[http://www.list.org/mailman-install/node12.html|Mailman documentation]] recommends the following setting. It ensures that emails to unknown local addresses will generate a permanent error, not a transient error in which the client will keep re-trying. | The [[http://www.list.org/mailman-install/node12.html|Mailman documentation]] recommends the following setting. It ensures that emails to unknown local addresses will generate a permanent error, not a transient error in which the client will keep re-trying. | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'unknown_local_recipient_reject_code=550' | + | sudo postconf -e 'unknown_local_recipient_reject_code=550' |
| </code> | </code> | ||
| Line 110: | Line 110: | ||
| First check to ensure that the configuration files are valid. (If it returns without printing anything, then the configuration is valid.) | First check to ensure that the configuration files are valid. (If it returns without printing anything, then the configuration is valid.) | ||
| - | <code rootshell> | + | <code bash> |
| - | postfix check | + | sudo postfix check |
| </code> | </code> | ||
| Make sure that there's an ''/etc/aliases.db'' file: | Make sure that there's an ''/etc/aliases.db'' file: | ||
| - | <code rootshell> | + | <code bash> |
| - | newaliases | + | sudo newaliases |
| </code> | </code> | ||
| Start the Postfix daemons: | Start the Postfix daemons: | ||
| - | <code rootshell> | + | <code bash> |
| - | /etc/init.d/postfix start | + | sudo /etc/init.d/postfix start |
| </code> | </code> | ||
| Line 207: | Line 207: | ||
| === Required Packages === | === Required Packages === | ||
| First install some prerequisites that are required to get TLS/SSL and SASL working with Postfix. | First install some prerequisites that are required to get TLS/SSL and SASL working with Postfix. | ||
| - | <code rootshell> | + | <code bash> |
| - | apt-get install openssl ssl-cert ca-certificates | + | sudo apt-get install openssl ssl-cert ca-certificates |
| - | apt-get install sasl2-bin libsasl2 libsasl2-modules | + | sudo apt-get install sasl2-bin libsasl2 libsasl2-modules |
| - | apt-get install postfix-tls | + | sudo apt-get install postfix-tls |
| </code> | </code> | ||
| Next, you'll need to create the SSL certificates. We've not documented this part well, but this might do the trick: | Next, you'll need to create the SSL certificates. We've not documented this part well, but this might do the trick: | ||
| - | <code rootshell> | + | <code bash> |
| - | openssl -gencert postfix | + | sudo openssl -gencert postfix |
| </code> | </code> | ||
| Line 236: | Line 236: | ||
| === main.cf === | === main.cf === | ||
| Add SASL configuration directives to the Postfix configuration: | Add SASL configuration directives to the Postfix configuration: | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'smtpd_sasl_auth_enable=yes' | + | sudo postconf -e 'smtpd_sasl_auth_enable=yes' |
| - | postconf -e 'smtpd_sasl_security_options=noanonymous' | + | sudo postconf -e 'smtpd_sasl_security_options=noanonymous' |
| - | postconf -e 'smtpd_sasl_local_domain=$myhostname' | + | sudo postconf -e 'smtpd_sasl_local_domain=$myhostname' |
| - | postconf -e 'broken_sasl_auth_clients=yes' | + | sudo postconf -e 'broken_sasl_auth_clients=yes' |
| </code> | </code> | ||
| To enable TLS SMTP authentication, add these options: | To enable TLS SMTP authentication, add these options: | ||
| - | <code rootshell> | + | <code bash> |
| - | postconf -e 'smtpd_use_tls=yes' | + | sudo postconf -e 'smtpd_use_tls=yes' |
| - | postconf -e 'smtpd_tls_auth_only=yes' | + | sudo postconf -e 'smtpd_tls_auth_only=yes' |
| - | postconf -e 'smtp_tls_cert_file=/etc/ssl/postfix.crt' | + | sudo postconf -e 'smtp_tls_cert_file=/etc/ssl/postfix.crt' |
| - | postconf -e 'smtp_tls_key_file=/etc/ssl/private/postfix.key' | + | sudo postconf -e 'smtp_tls_key_file=/etc/ssl/private/postfix.key' |
| - | postconf -e 'smtpd_tls_cert_file=/etc/ssl/postfix.crt' | + | sudo postconf -e 'smtpd_tls_cert_file=/etc/ssl/postfix.crt' |
| - | postconf -e 'smtpd_tls_key_file=/etc/ssl/private/postfix.key' | + | sudo postconf -e 'smtpd_tls_key_file=/etc/ssl/private/postfix.key' |
| </code> | </code> | ||
| Line 270: | Line 270: | ||
| Then restart Shorewall: | Then restart Shorewall: | ||
| - | <code> | + | <code bash> |
| - | /etc/init.d/shorewall restart | + | sudo /etc/init.d/shorewall restart |
| </code> | </code> | ||
| Line 278: | Line 278: | ||
| ===chroot=== | ===chroot=== | ||
| We need to set up the Postfix chrooted environment to have access to the ''/var/run/saslauthd'' directory. | We need to set up the Postfix chrooted environment to have access to the ''/var/run/saslauthd'' directory. | ||
| - | <code rootuser> | + | <code bash> |
| - | rm -rf /var/run/saslauthd | + | sudo rm -rf /var/run/saslauthd |
| - | mkdir -p /var/spool/postfix/var/run/saslauthd | + | sudo mkdir -p /var/spool/postfix/var/run/saslauthd |
| - | ln -s /var/spool/postfix/var/run/saslauthd /var/run | + | sudo ln -s /var/spool/postfix/var/run/saslauthd /var/run |
| </code> | </code> | ||
| And move the SASL database to the ''etc'' directory of the chrooted environment. See the "unable to open Berkeley db /etc/sasldb2" section below for more details. The rest of the ''etc'' directory is filled in when postfix is started using the ''/etc/init.d/postfix'' script. | And move the SASL database to the ''etc'' directory of the chrooted environment. See the "unable to open Berkeley db /etc/sasldb2" section below for more details. The rest of the ''etc'' directory is filled in when postfix is started using the ''/etc/init.d/postfix'' script. | ||
| - | <code rootshell> | + | <code bash> |
| cd /var/spool/postfix/etc | cd /var/spool/postfix/etc | ||
| - | cp -p /etc/sasldb2 . | + | sudo cp -p /etc/sasldb2 . |
| - | mv /etc/sasldb2 /etc/sasldb2.`date +%F` | + | sudo mv /etc/sasldb2 /etc/sasldb2.`date +%F` |
| - | ln -s /var/spool/postfix/etc/sasldb2 /etc/sasldb2 | + | sudo ln -s /var/spool/postfix/etc/sasldb2 /etc/sasldb2 |
| </code> | </code> | ||
| ===groups=== | ===groups=== | ||
| We need to add ''postfix'' to the ''sasl'' group so the Postfix programs can read the SASL files. | We need to add ''postfix'' to the ''sasl'' group so the Postfix programs can read the SASL files. | ||
| - | <code rootuser> | + | <code bash> |
| - | chgrp sasl /var/spool/postfix/var/run/saslauthd | + | sudo chgrp sasl /var/spool/postfix/var/run/saslauthd |
| - | adduser postfix sasl | + | sudo adduser postfix sasl |
| </code> | </code> | ||
| Line 302: | Line 302: | ||
| Start ''saslauthd'' if not done already. | Start ''saslauthd'' if not done already. | ||
| - | <code>/etc/init.d/saslauthd start</code> | + | <code bash> |
| + | sudo /etc/init.d/saslauthd start | ||
| + | </code> | ||
| Check postfix configuration | Check postfix configuration | ||
| - | <code> | + | <code bash> |
| - | postfix check | + | sudo postfix check |
| </code> | </code> | ||
| If all is well restart postfix and watch the log | If all is well restart postfix and watch the log | ||
| - | <code> | + | <code bash> |
| - | postfix reload ; tail -f /var/log/mail.log | + | sudo postfix reload |
| + | sudo tail -f /var/log/mail.log | ||
| </code> | </code> | ||
| If the reload command, if it fails with "''the Postfix mail system is not running''", then it was never started in the first place. Don't start with "''postfix start''" since this doesn't create the files needed in the chrotted environment. | If the reload command, if it fails with "''the Postfix mail system is not running''", then it was never started in the first place. Don't start with "''postfix start''" since this doesn't create the files needed in the chrotted environment. | ||
| - | <code rootshell> | + | <code bash> |
| - | /etc/init.d/postfix start | + | sudo /etc/init.d/postfix start |
| </code> | </code> | ||
| Line 339: | Line 342: | ||
| To completely wipe away the installation and configuration: | To completely wipe away the installation and configuration: | ||
| - | <code rootshell> | + | <code bash> |
| - | dpkg --force-depends --purge postfix | + | sudo dpkg --force-depends --purge postfix |
| </code> | </code> | ||
| Note that this does not remove the dependencies, and leaves APT dependency tree invalid. So you really should re-install the package as soon as possible. | Note that this does not remove the dependencies, and leaves APT dependency tree invalid. So you really should re-install the package as soon as possible. | ||
| Line 370: | Line 373: | ||
| * Front-end TLS/SMTP-AUTH configuration based on the [[http://www.falkotimme.com/howtos/postfix_smtp_auth_tls/index.php|Postfix-SMTP-AUTH-TLS-Howto]] | * Front-end TLS/SMTP-AUTH configuration based on the [[http://www.falkotimme.com/howtos/postfix_smtp_auth_tls/index.php|Postfix-SMTP-AUTH-TLS-Howto]] | ||
| * Back-end configuration (OLD delivery to Cyrus) based on the [[http://www.faqs.org/docs/Linux-HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO.html#POSTFIX-CONFIG|Postfix-Cyrus-Web-cyradm-HOWTO]] | * Back-end configuration (OLD delivery to Cyrus) based on the [[http://www.faqs.org/docs/Linux-HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO.html#POSTFIX-CONFIG|Postfix-Cyrus-Web-cyradm-HOWTO]] | ||
| + | |||