Mail Applications
Postfix
Note
You should build Postfix before AMaViS as AMaViS looks for Postfix and you'll be modifying the Postfix configuration.
Building and Installing
The README files give plenty of clues about how to modify the initial compilation line. You just need to merge all the bits together. In this case we're adding in:
- libpcre.so which is in /opt/sfw
- SASL which we installed in /usr/local/cyrus-sasl-x.y.z
- STARTTLS which requires OpenSSL in /usr/sfw
cd .../postfix-2.2.5
make -f Makefile.init makefiles \
"CCARGS=-DHAS_PCRE \
-I/opt/sfw/include \
-DUSE_SASL_AUTH \
-I/usr/local/cyrus-sasl-2.1.21/include/sasl \
-DUSE_TLS -I/usr/sfw/include" \
"AUXLIBS=-L/opt/sfw/lib \
-R/opt/sfw/lib \
-lpcre \
-L/usr/local/cyrus-sasl-2.1.21/lib \
-R/usr/local/cyrus-sasl-2.1.21/lib \
-lsasl2 \
-R/usr/sfw/lib \
-L/usr/sfw/lib \
-lssl \
-lcrypto"
make
Note
In 2.3 and later we need to add an additional -DUSE_CYRUS_SASL to CCARGS otherwise we 'll have no Cyrus-SASL support:
C=/usr/local/cyrus-sasl-2.1.22
make -f Makefile.init makefiles \
"CCARGS=-DHAS_PCRE \
-I/opt/sfw/include \
-DUSE_SASL_AUTH \
-DUSE_CYRUS_SASL \
-I$C/include/sasl \
-DUSE_TLS -I/usr/sfw/include" \
"AUXLIBS=-L/opt/sfw/lib \
-R/opt/sfw/lib \
-lpcre \
-L$C/lib \
-R$C/lib \
-lsasl2 \
-R/usr/sfw/lib \
-L/usr/sfw/lib \
-lssl \
-lcrypto"
make
As per the instructions, backup existing bits:
su mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF mv /usr/sbin/newaliases /usr/sbin/newaliases.OFF mv /usr/bin/mailq /usr/bin/mailq.OFF chmod 755 /usr/sbin/sendmail.OFF /usr/sbin/newaliases.OFF /usr/bin/mailq.OFF
Then ensure the postfix groups and account are available:
groupadd postfix useradd -g postfix postfix passwd -l postfix groupadd postdrop
Before (as root!):
make install
Note
Accept defaults for everything (postfix config dir becomes /etc/postfix)
Configuration
main.cf
There's quite a bit to do here (/etc/postfix/main.cf) and it might appear a bit fiddly.
Once again the default domain rears its ugly head. In this instance, the default domain is derived from the computer's hostname (unless you state otherwise). I'm not and so my default domain is based on my hostname.
General Setup
- myorigin
myorigin = $mydomain
- mydestination
Here we're settling on our choice of default domain. It may be that we can drop $mydomain and add it back into the virtual list (below) but I'm a touch nervous about that.
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
- local_recipient_maps
local_recipient_maps =
- mynetworks_style
mynetworks_style = host
- mailbox_transport
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
- mime_header_checks
Optional as this file drops mail containing some dodgy attachments on the floor:
mime_header_checks = regexp:/etc/postfix/mime_header_checks
Then create the mime_header_checks file:
cat <<EOF > /etc/postfix/mime_header_checks /^Content-Type: audio\/x-(wav|midi); name="?[a-zA-Z0-9]*.(exe|com|bat|scr|pif)"?/ DISCARD /^Content-Type: application\/x-msdownload; name="?[a-zA-Z0-9]*.(exe|com|bat|scr|pif)"?/ DISCARD EOF
- cyrus_destination_recipient_limit
cyrus_destination_recipient_limit=1
Then we have some more interesting changes to main.cf
AMaViS changes
content_filter = smtp-amavis:[127.0.0.1]:10024
Virtual Mailboxes
This is where we declare our virtual domains.
Warning
You must not put a domain in virtual_mailbox_domains that is referenced in $mydestination. Bad things will happen.
virtual_transport = lmtp:unix:/var/imap/socket/lmtp virtual_mailbox_domains = example.org example.net virtual_mailbox_maps = dbm:/etc/postfix/vmailbox virtual_alias_maps = dbm:/etc/postfix/virtual pcre:/etc/postfix/virtual_pcre
SASL Changes
# enable SASL support in the SMTP server smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain # allow mail relaying by authenticated clients # default was permit_mynetworks, reject_unauth_destination smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
STARTTLS
Note here that we're implying that our authenticated users will be trying to access the host smtp.example.com
smtpd_tls_cert_file = /etc/postfix/smtp.example.com.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_loglevel = 0 smtpd_use_tls = yes
master.cf
We basically need tell Postfix that we're using Cyrus and AMaViS.
Cyrus
The default entry for Cyrus has the wrong path:
user=cyrus argv=/usr/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
AMaViS Alterations
smtp-amavis unix - - n - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Virtual Mailbox Configuration
Declaring Virtual Mailboxes
Remember here that you can only create entries for non-default domain users. Let's assume that we've settled on a default domain of example.com and that we're hosting virtual user accounts in the example.{org,net} domains.
Postfix will only find out about the absence of a mailbox for a user in the default domain when the delivery mechanism (Cyrus via lmtp) fails. It should spot an absent virtual mailbox a little quicker as it must be defined in vmailbox:
cat <<EOF >> /etc/postfix/vmailbox # info@example.org dummy-value # @example.net dummy-value EOF chmod g-w /etc/postfix/vmailbox (cd /etc/postfix; postmap vmailbox)
Virtual Mailbox Aliases
virtual allows for simple account mapping. You might well leave it empty preferring the power of Perl in virtual_pcre.
cat <<EOF >> /etc/postfix/virtual # postmaster@example.org postmaster EOF (cd /etc/postfix; postmap virtual)
You can do much more with Perl's regexps:
cat <<EOF >> /etc/postfix/virtual_pcre /^((?:post|host|web)master)@/ $1 /^([^@]+)@example.net$/ $1@example.org EOF
Here, the first line maps any of the usual administrative accounts to the equivalent in the default domain (the default domain is chosen because the mapping doesn't contain an @).
The second example maps any user in example.net to the equivalent user in example.org.
Makefile
I always forget what needs to be updated. It's much easier to edit files willy-nilly then type make:
cat <<EOF > /etc/postfix/Makefile
ALIASES_SRC = /etc/mail/aliases
DBM_MAP_SRCS = vmailbox virtual
ALIASES = \$(patsubst %,%.pag,\${ALIASES_SRC})
MAPS = \$(patsubst %,%.pag,\${DBM_MAP_SRCS})
all : \${ALIASES} \${MAPS}
postfix check
postfix reload
\${ALIASES} : \${ALIASES_SRC}
newaliases
%.pag : %
postmap /etc/postfix/\$*
EOF
chmod g-w /etc/postfix/Makefile
Ordinary Aliases
We still need to maintain aliases for the default domain. I told you it was a pain.
cat <<EOF >> /etc/mail/aliases hostmaster: root webmaster: root postfix: root abuse: root # AMaViS virusalert: spam spamalert: spam virus-quarantine: spam spam-quarantine: spam spam.police: spam EOF newaliases
Startup
Note
Where's SMF?
cat <<EOF >/etc/init.d/mail
#! /bin/ksh
# start/stop all mail services
action="\$1"
shift
case "\${action}" in
start)
echo "mail: \${action}: \c"
# for x in saslauthd cyrus clamav amavis ; do
for x in cyrus clamav amavis ; do
echo "\$x \c"
/sbin/sh /etc/init.d/\$x \${action}
done
echo "postfix"
postfix start
;;
stop)
echo "postfix"
postfix stop
echo "mail: \${action}: \c"
# for x in amavis clamav cyrus saslauthd ; do
for x in amavis clamav cyrus ; do
echo "\$x \c"
/sbin/sh /etc/init.d/\$x \${action}
done
;;
esac
EOF
chmod a+x /etc/init.d/mail
ln /etc/init.d/mail /etc/rc2.d/S88mail
ln /etc/init.d/mail /etc/rc2.d/K88mail
Modify SASL setup
In order that incoming requests to use our SMTP service can be authenticated (using the same credentials as users use to read their email over IMAP) we need to tell the SMTP daemon (within Postfix) to use the /etc/sasldb2.* files:
cat <<EOF > /usr/local/cyrus-sasl-2.1.21/lib/sasl2/smtpd.conf pwcheck_method: auxprop EOF
SSL
Generate a key for smtp.example.com
Document Actions