Lars Sommer, lasg@lasg.dk, 2009-04-19
DISCLAIMER: This is a personal note made for personal usage. It might not be easy usable nor explaining.<\/p>\n\n\n\n
This is a personal note on:
Mail server setup with Postfix as SMTP\/MTA, Dovecot as POP3\/IMAP, SASL
authentication, virtual users, SSL connections and Smarthost’ing<\/p>\n\n\n\n
Inspired by these guides:
http:\/\/workaround.org\/articles\/ispmail-etch\/
http:\/\/www.colinbaker.org\/unix\/freebsddovecot
http:\/\/wiki.dovecot.org\/UserDatabase\/Prefetch<\/p>\n\n\n\n
\nInstall these ports for MySQL:\ndatabases\/mysql60-server\ndatabases\/mysql60-client\n\nEnable in \/etc\/rc.conf:\nmysql_enable=\"YES\"\n\n---\n\nInstall of Dovecot:\n\nIf you install Postfix before Dovecot, MySQL support for Dovecot will be\n missing. You can though just run a \"make config\" in mail\/dovecot, and\n select MYSQL.\n\nInstall this port:\nmail\/dovecot\nWith this option:\nWITH_MYSQL=true\n\nEnable in \/etc\/rc.conf:\ndovecot_enable=\"YES\"\n\nFor sieve mail filtering, install this port as well:\n\/usr\/ports\/mail\/dovecot-sieve\n\n---\n\nInstall of Postfix:\n\nInstall this port:\nmail\/postfix:\n\nWith these option:\nWITH_PCRE=true\nWITH_SASL2=true (for smarthost)\nWITH_DOVECOT=true (for SASL)\nWITH_TLS=true\nWITH_MYSQL=true\nWITH_VDA=true \t(NOTE by 2009-05-21, no VDA option were present any more. WHY?)\n\nSay YES to let the install procedure configure the \/etc\/mail\/mailer.conf\n and replace the sendmail binaries.\n\nEnable in rc.conf: \npostfix_enable=\"YES\" \n\n#If you not need sendmail anymore, please add in your rc.conf:\nsendmail_enable=\"NO\"\nsendmail_submit_enable=\"NO\"\nsendmail_outbound_enable=\"NO\"\nsendmail_msp_queue_enable=\"NO\"\n\n#And you can disable some sendmail specific daily maintenance routines in your\n\/etc\/periodic.conf file:\ndaily_clean_hoststat_enable=\"NO\"\ndaily_status_mail_rejects_enable=\"NO\"\ndaily_status_include_submit_mailq=\"NO\"\ndaily_submit_queuerun=\"NO\"\n\n\nPostfix cannot be started before \/etc\/aliases.db is created,\n so run \"newaliases\"\n\nAll configuration is in \/usr\/local\/etc\/postfix\/, mostly in main.cf and master.cf\n\nGet some config, from my config files..\n\n\nchgrp postfix mysql_*.cf\nchmod 640 mysql_*.cf\n\n\nCreate system user vmail:\npw user add -n vmail -d \/var\/vmail -s \/usr\/bin\/nologin -u 5000 \nmkdir \/var\/vmail\nchown vmail \/var\/vmail\nchmod o= \/var\/vmail\n\n---\n\nMySQL configuration:\n\nSet root password and connect:\nmysqladmin password mysecretpw\nmysql -p\n\n---\n\nCreate MySQL mapping files for Postfix:\n\ncd \/usr\/local\/etc\/postfix\/\n\n---\n\nSetup Postfix to work with Dovecot:\n\nAdd this line to master.cf:\ndovecot unix - n n - - pipe\n flags=DRhu user=vmail:vmail argv=\/usr\/local\/libexec\/dovecot\/deliver -d ${recipient}\n\nAdd these two lines to main.cf:\nvirtual_transport = dovecot\ndovecot_destination_recipient_limit = 1\n\n---\n\nConfigure Dovecot:\n\ncd \/usr\/local\/etc\ncp dovecot-example.conf dovecot.conf\nvi dovecot.conf\n\nprotocols = imap pop3 imaps pop3s\n\nmail_location = maildir:\/var\/vmail\/%d\/%n\n\nIn section \"auth default\"\nEdit:\nmechanisms = plain login\n\nAdd:\n passdb sql {\n args = \/usr\/local\/etc\/dovecot-sql.conf\n }\n userdb static {\n args = uid=5000 gid=5000 home=\/var\/vmail\/%d\/%n allow_all_users=yes\n }\n userdb sql {\n args = \/usr\/local\/etc\/dovecot-sql.conf\n }\n socket listen {\n master {\n path = \/var\/run\/dovecot\/auth-master\n mode = 0600\n user = vmail\n }\n client {\n path = \/var\/spool\/postfix\/private\/auth\n mode = 0660\n user = postfix\n group = postfix\n }\n }\n\nIn section \"protocol lda\":\nEdit:\n postmaster_address = postmaster@lasg.dk\n\nAdd:\n auth_socket_path = \/var\/run\/dovecot\/auth-master\n log_path = \/var\/vmail\/dovecot-deliver.log\n mail_plugins = cmusieve quota\n\n\nNew edit dovecot-sql.conf to:\n\n---\n\nMaking SSL for Dovecot and Postfix:\n\nmkdir \/etc\/ssl\/private\nmkdir \/etc\/ssl\/certs\nopenssl req -new -x509 -days 3650 -nodes -out \/etc\/ssl\/certs\/dovecot.pem \\\n -keyout \/etc\/ssl\/private\/dovecot.pem\n\nopenssl req -new -x509 -days 3650 -nodes -out \/etc\/ssl\/certs\/postfix.pem \\\n -keyout \/etc\/ssl\/private\/postfix.pem\n\nchmod -R o= \/etc\/ssl\/private\n\nAdd to Postfix's main.cf:\nsmtpd_tls_cert_file = \/etc\/ssl\/certs\/postfix.pem\nsmtpd_tls_key_file = \/etc\/ssl\/private\/postfix.pem\n\nUncomment in master.cf:\nsmtps inet n - n - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_sasl_auth_enable=yes\n -o smtpd_client_restrictions=permit_sasl_authenticated,reject\n\n---\n\nSASL (Authenticated SMTP):\n\nAdd to main.cf:\nsmtpd_sasl_type = dovecot\nsmtpd_sasl_path = private\/auth\nsmtpd_sasl_auth_enable = yes\nsmtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,rejec\nt_unauth_destination\nmynetworks = 192.168.1.0\/24\n\n---\n\nTesting:\n\nTry to send and receive mail. Eg with:\ntelnet localhost 25\ntelnet localhost 110\n\n\n---\n\nTo let postfix send mail on to another smtp (relay\/smarthost)\n\ncd \/usr\/local\/etc\/postfix \n\nvi transport\nInsert:\ndkuug.dk smtp:smtp.dbmail.dk\nkrn.dk smtp:smtp.dbmail.dk\n\nvi sasl_passwd\nInsert:\nsmtp.dbmail.dk lasg:mysecretpass\n\nInsert in main.cf:\ntransport_maps = hash:\/usr\/local\/etc\/postfix\/transport\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_password_maps = hash:\/usr\/local\/etc\/postfix\/sasl_passwd\nsmtp_sasl_security_options =\n\nDo:\npostmap transport\npostmap sasl_passwd\n\nrestart postfix\nNow mail to *@dkuug.dk and *@krn.dk will go through smtp.dbmail.dk with sasl auth.\n\n<\/pre>\n","protected":false},"excerpt":{"rendered":"Lars Sommer, lasg@lasg.dk, 2009-04-19DISCLAIMER: This is a personal note made for personal usage. It might not be easy usable nor explaining. This is a personal note on:Mail server setup with Postfix as SMTP\/MTA, Dovecot as POP3\/IMAP, SASLauthentication, virtual users, SSL connections and Smarthost’ing Inspired by these guides:http:\/\/workaround.org\/articles\/ispmail-etch\/http:\/\/www.colinbaker.org\/unix\/freebsddovecothttp:\/\/wiki.dovecot.org\/UserDatabase\/Prefetch Install these ports for MySQL: databases\/mysql60-server databases\/mysql60-client Enable in \/etc\/rc.conf: mysql_enable=”YES” — Install of Dovecot: If you install Postfix before Dovecot, MySQL support for Dovecot will be missing. You can though just run a “make config” in mail\/dovecot, and select MYSQL. Install this port: mail\/dovecot With this option: WITH_MYSQL=true Enable in \/etc\/rc.conf: dovecot_enable=”YES” For sieve mail filtering, install this port as well: \/usr\/ports\/mail\/dovecot-sieve — Install of Postfix: Install this port: mail\/postfix: With these option: WITH_PCRE=true WITH_SASL2=true (for smarthost) WITH_DOVECOT=true (for SASL) WITH_TLS=true WITH_MYSQL=true WITH_VDA=true (NOTE by 2009-05-21, no VDA option were present any more. WHY?) Say YES to let the install procedure configure the \/etc\/mail\/mailer.conf and replace the sendmail binaries. Enable in rc.conf: postfix_enable=”YES” #If you not need sendmail anymore, please add in your rc.conf: sendmail_enable=”NO” sendmail_submit_enable=”NO” sendmail_outbound_enable=”NO” sendmail_msp_queue_enable=”NO” #And you can disable some sendmail specific daily maintenance routines in your \/etc\/periodic.conf file: daily_clean_hoststat_enable=”NO” daily_status_mail_rejects_enable=”NO” daily_status_include_submit_mailq=”NO” daily_submit_queuerun=”NO” Postfix cannot be started before \/etc\/aliases.db is created, so run “newaliases” All configuration is in \/usr\/local\/etc\/postfix\/, mostly in main.cf and master.cf Get some config, from my config files.. chgrp postfix mysql_*.cf chmod 640 mysql_*.cf Create system user vmail: pw user add -n vmail -d \/var\/vmail -s \/usr\/bin\/nologin -u 5000 mkdir \/var\/vmail chown vmail \/var\/vmail chmod o= \/var\/vmail — MySQL configuration: Set root password and connect: mysqladmin password mysecretpw mysql -p — Create MySQL mapping files for Postfix: cd \/usr\/local\/etc\/postfix\/ — Setup Postfix to work with Dovecot: Add this line to master.cf: dovecot unix – n n – – pipe flags=DRhu user=vmail:vmail argv=\/usr\/local\/libexec\/dovecot\/deliver -d ${recipient} Add these two lines to main.cf: virtual_transport = dovecot dovecot_destination_recipient_limit = 1 — Configure Dovecot: cd \/usr\/local\/etc cp dovecot-example.conf dovecot.conf vi dovecot.conf protocols = imap pop3 imaps pop3s mail_location = maildir:\/var\/vmail\/%d\/%n In section “auth default” Edit: mechanisms = plain login Add: passdb sql { args = \/usr\/local\/etc\/dovecot-sql.conf } userdb static { args = uid=5000 gid=5000 home=\/var\/vmail\/%d\/%n allow_all_users=yes } userdb sql { args = \/usr\/local\/etc\/dovecot-sql.conf } socket listen { master { path = \/var\/run\/dovecot\/auth-master mode = 0600 user = vmail } client { path = \/var\/spool\/postfix\/private\/auth mode = 0660 user = postfix group = postfix } } In section “protocol lda”: Edit: postmaster_address = postmaster@lasg.dk Add: auth_socket_path = \/var\/run\/dovecot\/auth-master log_path = \/var\/vmail\/dovecot-deliver.log mail_plugins = cmusieve quota New edit dovecot-sql.conf to: — Making SSL for Dovecot and Postfix: mkdir \/etc\/ssl\/private mkdir \/etc\/ssl\/certs openssl req -new -x509 -days 3650 -nodes -out \/etc\/ssl\/certs\/dovecot.pem \\ -keyout \/etc\/ssl\/private\/dovecot.pem openssl req -new -x509 -days 3650 -nodes -out \/etc\/ssl\/certs\/postfix.pem \\ -keyout \/etc\/ssl\/private\/postfix.pem chmod -R o= \/etc\/ssl\/private Add to Postfix’s main.cf: smtpd_tls_cert_file = \/etc\/ssl\/certs\/postfix.pem smtpd_tls_key_file = \/etc\/ssl\/private\/postfix.pem Uncomment in master.cf: smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject — SASL (Authenticated SMTP): Add to main.cf: smtpd_sasl_type = dovecot smtpd_sasl_path = private\/auth smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,rejec t_unauth_destination mynetworks = 192.168.1.0\/24 — Testing: Try to send and receive mail. Eg with: telnet localhost 25 telnet localhost 110 — To let postfix send mail on to another smtp (relay\/smarthost) cd \/usr\/local\/etc\/postfix vi transport Insert: dkuug.dk smtp:smtp.dbmail.dk krn.dk smtp:smtp.dbmail.dk vi sasl_passwd Insert: smtp.dbmail.dk lasg:mysecretpass Insert in main.cf: transport_maps = hash:\/usr\/local\/etc\/postfix\/transport smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:\/usr\/local\/etc\/postfix\/sasl_passwd smtp_sasl_security_options = Do: postmap transport postmap sasl_passwd restart postfix Now mail to *@dkuug.dk and *@krn.dk will go through smtp.dbmail.dk with sasl auth.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[24,45],"class_list":["post-545","post","type-post","status-publish","format-standard","hentry","category-computer","tag-computer","tag-freebsd"],"acf":[],"_links":{"self":[{"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/posts\/545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/comments?post=545"}],"version-history":[{"count":2,"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/posts\/545\/revisions"}],"predecessor-version":[{"id":827,"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/posts\/545\/revisions\/827"}],"wp:attachment":[{"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/media?parent=545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/categories?post=545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lasg.dk\/wp\/wp-json\/wp\/v2\/tags?post=545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}