Postfix With SMTP-AUTH And TLS; Dovecot

Contents

[ hide ]

    Install the required packages (Postfix, cyrus-sasl, Dovecot, etc.) like this:
    intsalling cyrus-sasl libsasl2 libsasl2-devel libsasl2-plug-plain \
    libsasl2-plug-anonymous libsasl2-plug-crammd5 libsasl2-plug-digestmd5 \
    libsasl2-plug-gssapi libsasl2-plug-login postfix dovecot

    Then run: postconf -e ‘mydestination = /etc/postfix/local-host-names, localhost.$mydomain’
    postconf -e ‘smtpd_sasl_local_domain =’
    postconf -e ‘smtpd_sasl_auth_enable = yes’
    postconf -e ‘smtpd_sasl_security_options = noanonymous’
    postconf -e ‘broken_sasl_auth_clients = yes’
    postconf -e ‘smtpd_sasl_authenticated_header = yes’
    postconf -e ‘smtpd_recipient_restrictions = \
    permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination’
    postconf -e ‘inet_interfaces = all’
    postconf -e ‘mynetworks = 127.0.0.0/8’
    touch /etc/postfix/local-host-names

    Then we set the hostname in our Postfix installation
    (make sure you replace server1 and example.com with your own settings):

    postconf -e 'mydomain = example.com'
    postconf -e 'myhostname = server1.$mydomain'

    Edit /etc/sasl2/smtpd.conf. It should look like this:

    mcedit /etc/sasl2/smtpd.conf
    # SASL library configuration file for postfix
    
    
    1. all parameters are documented into:
    2. /usr/share/doc/cyrus-sasl/options.html
    3. The mech_list parameters list the sasl mechanisms to use,
    4. default being all mechs found.
    mech_list: plain login
    1. To authenticate using the separate saslauthd daemon, (e.g. for
    2. system or ldap users). Also see /etc/sysconfig/saslauthd.
    pwcheck_method: saslauthd saslauthd_path: /var/lib/sasl2/mux
    1. To authenticate against users stored in sasldb.
    2. pwcheck_method: auxprop
    3. auxprop_plugin: sasldb
    4. sasldb_path: /var/lib/sasl2/sasl.db

    Optional:

    The default authentication mechanism for saslauthd is pam, however on blackPanther OS 9.x there seems to be a bug.
    When you send an email, the first one goes through, and as soon as you try to send a second email, saslauthd dies.
    You can find messages like this one in /var/log/messages

    Oct 9 17:53:42 server1 saslauthd[1]: server_exit : master exited: 4460

    I’ve found the following workaround: open /etc/sysconfig/saslauthd…

    mcedit /etc/sysconfig/saslauthd

    … and change SASL_AUTHMECH from pam to shadow:

    # $Id: saslauthd.sysconfig,v 1.1 2001/05/02 10:55:48 wiget Exp $
    
    
    1. Authentications mechanism (for list see saslauthd -v)
    SASL_AUTHMECH=shadow
    1. Hostname for remote IMAP server (if rimap auth mech is used)
    2. Ldap configuration file (if ldap auth mech is used)
    SASL_MECH_OPTIONS=
    1. Extra options (for list see saslauthd -h)
    SASLAUTHD_OPTS=

    Optional End

    Create the SSL certificate needed for TLS:

    mkdir /etc/postfix/ssl
    cd /etc/postfix/ssl/
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
    chmod 600 smtpd.key
    openssl req -new -key smtpd.key -out smtpd.csr
    openssl x509 -req -days 3650 -in smtpd.csr -signkey  smtpd.key -out smtpd.crt
    openssl rsa -in smtpd.key -out smtpd.key.unencrypted
    mv -f smtpd.key.unencrypted smtpd.key
    openssl req -new -x509 -extensions v3_ca \
    -keyout cakey.pem -out  cacert.pem -days 3650

    … and configure Postfix for TLS:

    postconf -e 'smtpd_tls_auth_only = no'
    postconf -e 'smtp_use_tls = yes'
    postconf -e 'smtpd_use_tls = yes'
    postconf -e 'smtp_tls_note_starttls_offer = yes'
    postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
    postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
    postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
    postconf -e 'smtpd_tls_loglevel = 1'
    postconf -e 'smtpd_tls_received_header = yes'
    postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
    postconf -e 'tls_random_source = dev:/dev/urandom'

    Next we must configure Dovecot to serve the protocols imap, imaps, pop3, and pop3s.
    Open /etc/dovecot.conf and adjust the following values:

    mcedit /etc/dovecot.conf
    [2]
    
    
    1. Protocols we want to be serving: imap imaps pop3 pop3s
    2. If you only want to use dovecot-auth, you can set this to "none".
    protocols = imap imaps pop3 pop3s [3] disable_plaintext_auth = no [4] pop3_uidl_format = %08Xu%08Xv [5]

    Now we must tell the system to start Dovecot only after ntpd has started because
    Dovecot isn’t very forgiving if your system’s time moves backwards while Dovecot is running (see

    http://wiki.dovecot.org/TimeMovedBackwards
    ).
    This might cause errors like the following in your syslog:

    Apr 9 19:29:18 server1 dovecot: Time just moved backwards by 17 seconds.
    This might cause a lot of problems, so I’ll just kill myself now.
    http://wiki.dovecot.org/TimeMovedBackwards

    Unfortunately, on blackPanther OS Dovecot is started before ntpd, so we change it like this:

    cd /etc/rc3.d
    mv S99ntpd S98ntpd
    mv S54dovecot S99dovecot
    cd /etc/rc4.d
    mv S99ntpd S98ntpd
    mv S54dovecot S99dovecot
    cd /etc/rc5.d
    mv S99ntpd S98ntpd
    mv S54dovecot S99dovecot

    Then we create the system startup links for Postfix...
    chkconfig postfix on

    … and (re)start Postfix, saslauthd, and Dovecot:

    /etc/init.d/postfix restart
    /etc/init.d/saslauthd restart
    /etc/init.d/dovecot restart

    To see if SMTP-AUTH and TLS work properly now run the following command:

    telnet localhost 25

    After you have established the connection to your Postfix mail server type

    ehlo localhost

    If you see the lines

    250-STARTTLS

    and

    250-AUTH PLAIN LOGIN

    everything is fine:

    rc5.d# telnet localhost 25
    Trying 127.0.0.1…
    Connected to localhost.localdomain (127.0.0.1).
    Escape character is ‘^]’.
    220 server1.example.com ESMTP Postfix (2.5.5) (blackPanther OS)
    ehlo localhost
    250-server1.example.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.
    rc5.d#
    quit

    to return to the system’s shell.

    11.1 Maildir

    Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server,
    please make sure you enable Maildir under Management -> Server -> Settings -> Email.
    ISPConfig will then do the necessary configuration.

    If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user’s Maildir
    (you can also do this if you use ISPConfig – it doesn’t hurt ;-)):

    postconf -e 'home_mailbox = Maildir/'
    postconf -e 'mailbox_command ='
    /etc/init.d/postfix restart
    When I tried this code:
     installing cyrus-sasl libsasl2  \
    libsasl2-devel libsasl2-plug-plain libsasl2-plug-anonymous  libsasl2-plug-crammd5 \
    libsasl2-plug-digestmd5 libsasl2-plug-gssapi  libsasl2-plug-login postfix dovecot
    Very difficult? Try easy server howto! (Later)

    This page is a Wiki! Log in or register an account to edit.
    admin

    About admin