Thursday, October 26, 2006

FreeBSD : Postfix (SMTP + SSL + TLS) + Courier (IMAP + POP3 + SSL) + Cyrus SASL, with virtual delivery

Links

* http://www.postfix.org/SASL_README.html
* http://www.unixpeople.com/HOWTO/postfix.solaris.html
* http://www.pacnog.org/pacnog1/day1/mail/courier.html

Postfix

/usr/local/etc/postfix/master.cf

# enables SMTP over SSL on port 465. Note the command line arguments for smtpd.
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

/usr/local/etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550

mynetworks = 192.168.1.0/24, 127.0.0.0/8
smtpd_banner = $myhostname ESMTP

debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = no

transport_maps = hash:/usr/local/etc/postfix/transport
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain

virtual_mailbox_domains = sun-research.com
virtual_mailbox_base = /mirror/mail/
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:125
virtual_gid_maps = static:125
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual

smtpd_sasl_security_options = noanonymous
smtpd_use_tls = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_auth_only = yes
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes

Don't forget to make your PEM file!

/usr/local/etc/postfix/transport (Do a "postconf transport" after editing)

# null entry means to handle this domain ourselves
company.com :
.company.com :
# enable next line to use a smart host for all outgoing mail
# * smtp:smtp.my.isp.com

/usr/local/etc/postfix/vmailbox ("postconf vmailbox")

This file sets up the users that postfix will receive mail for, and where to store their mail.

# Don't forget the trailing / for maildir format!
user1@company.com company.com/user1/
user2@company.com company.com/user2/

Using virtual_mailbox_base directory from main.cf above:
mkdir -p $virtual_mailbox_base
cd $virtual_mailbox_base
maildirmake user1
maildirmake user2
chown -R postfix:postfix .


Courier

/usr/local/etc/courier-imap/imapd

IMAPDSTART=YES

/usr/local/etc/courier-imap/pop3d

POP3DSTART=YES

/usr/local/etc/courier-imap/imapd-ssl

IMAPDSTARTTLS=YES

/usr/local/etc/courier-imap/pop3d-ssl

POP3_STARTTLS=YES


Make your TLS certificates:

* Edit /usr/local/etc/courier-imap/{pop3d,imapd}.cnf and put in your details.
* Put CN = mail.companyname.com, or whatever your clients use to connect.
* Then:

cd /usr/local/share/courier-imap/
./mkpop3dcert
./mkimapdcert

/etc/rc.conf

courier_authdaemond_enable="YES"
courier_imap_pop3d_enable="YES"
courier_imap_imapd_enable="YES"
courier_imap_pop3d_ssl_enable="YES"
courier_imap_imapd_ssl_enable="YES"
saslauthd_enable="YES"

saslauthd_flags="-r -a rimap -O localhost"

The saslauthd_flags set it to use the full realm (-r), use remote IMAP server for authenticating against (-a rimap) and to contact the IMAP server on this machine (-O localhost).  The default is to use pam that will do things like checking against passwd.


/usr/local/etc/authlib/authdaemonrc

authmodulelist="authuserdb"

Edit /usr/local/etc/authlib/userdb

This controls who can log in to get their email, and who is allowed to relay SMTP.

# All one line...
user1@company.com
uid=125|
gid=125|
home=/mirror/mail/company.com/user1|
mail=/mirror/mail/company.com/user1|
systempw=|

Run "makeuserdb" after editing the userdb file!

 Configure Cyrus SASL by creating/editing  /usr/local/lib/sasl2/smtpd.conf with these two lines:

 pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


 Remember to open firewall ports!

And I think that's it. :)
Posted by at No comments:
Subscribe to: Posts (Atom)