I also wrote a how to on this about 3 years ago. I hope it can help. Kirk Cerny
On Thu, Sep 4, 2008 at 12:08 PM, Andrew Jorgensen <[EMAIL PROTECTED]> wrote: > On Wed, Sep 3, 2008 at 6:25 PM, Charles Curley > <[EMAIL PROTECTED]> wrote: >> How can I use Postfix to send mail from my laptop (say) to my ISP, >> using SMTP AUTH? I have Postfix (postfix-2.5.1-2ubuntu1.1--i386) >> running on the laptop (Ubuntu 8.04, Hungry Hippo) for local delivery. > > http://andrew.jorgensenfamily.us/2007/04/postfix-client-authentication/ > Let me know if my instructions are worthless, I'll amend them. > >> For one thing, what packages in addition to postfix itself do I need? > > I don't recall if you need an actual sasl package (cyrus?). I think > that's only needed when people are authenticating to your server. > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ >
<html>
<head>
<title>
Postfix How To
</title>
<link href="postfix_help.css" rel="stylesheet" type="text/css"
/>
</style>
</head>
<body>
<h1>
Kirks Postfix How To
</h1>
<div>
<a href="#utilities">Postfix Commands</a>
</div>
<div>
<a href="#install">Installation</a>
</div>
<hr />
<div>
<div>
<a name="utilities"></a>
Postfix Command Line Utilities
</div>
<ol>
<li>
The postfix command stops, starts, and
reloads the configuration with the stop, start, and reload options.
<div class="cmd" >
postfix [start stop reload]
</div>
<br />
The postalias command creates an
indexed alias file map.
<div class="cmd" >
postalias <span
class="user_spec">/etc/aliases</span> or newaliases
</div>
<br />
The postcat command is used to
view the content of a message in the mailq.
<div class="cmd" >
postcat -q <span
class="user_spec">mailq_id</span>
</div>
<br />
The postmap command makes indexed maps
from flat files.
<div class="cmd" >
postmap <span
class="user_spec">/etc/postfix/roleaccount_exceptions</span>
</div>
</li>
</ol>
</div>
<div>
<div>
<a name="install"></a>
Programs For This Setup
</div>
<ol>
<li>
<strong>Cyrus SASL</strong> - Download
current version at <a href="ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/";
>ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/</a>
</li>
<li>
<strong>Open SSL</strong> - Download
current version at <a href="http://www.openssl.org/";>http://www.openssl.org/</a>
</li>
<li>
<strong>Perl Compatible Regular
Expressions</strong> - Download current version at <a
href="http://www.pcre.org/";>http://www.pcre.org/</a>
</li>
<li>
<strong>Postfix</strong> - Download
current version at <a href="http://www.postfix.org/"; >http://www.postfix.org</a>
</li>
<li>
<strong>Amavisd-new</strong> - Download
current at <a
href="http://www.ijs.si/software/amavisd/";>http://www.ijs.si/software/amavisd/</a>
</li>
<li>
<strong>ClamAV</strong> - Download
current at <a href="http://www.clamav.net/";>http://www.clamav.net/</a>
</li>
<li>
<strong>Spamassassin</strong> - Use cpan to install
Mail::Spamassassin
</li>
</ol>
<ol>
<li>
Download SASL2
<a
href="ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/";
>ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/</a>
<div class="cmd" >
tar zxvf <span
class="user_spec" >filename</span>
</div>
<div class="cmd" >
./configure
--with-plugindir=/usr/lib/sasl2 --disable-java --disable-krb4
--with-dblib=berkeley --enable-plain --enable-login
</div>
<div class="cmd" >
make
</div>
<div class="cmd" >
make install
</div>
<div class="cmd" >
ln -s /usr/local/lib/sasl2
/usr/lib/sasl2
</div>
<div>
Look at <a
href="http://www.postfix.org/SASL_README.html";>http://www.postfix.org/SASL_README.html</a>
for SASL/Postfix compile arg
help.
</div>
<br />
<div>
See if the syslogd daemon is
set up to log Cyrus SASL messages.
<br />
Add the following to your
syslog.conf, and then restart syslogd
<br />
Your syslog.conf is most likley
located at /etc/syslog.conf.
<br />
<span class="cmd" >auth.*
/var/log/auth</span>
<br />
<br />
To restart syslogd run
<span
class="cmd">/etc/rc.d/init.d/syslogd restart</span>
<br />
Create or edit the postfix sasl
configuration file.
The file is located in
/usr/lib/sasl2 by default.
<br />
Debian users must put
smtpd.conf in /etc/postfix/sasl to make sasl auth work.
<br />
<span class="cmd" >touch
/usr/lib/sasl2/smtpd.conf</span>
<br />
<span class="cmd" >chmod 644
/usr/lib/sasl2/smtpd.conf</span>
<br />
In the smtpd.conf file a
parameter and value must be on a single line.
<br />
Every parameter ends with a
colon, and a space seperates the parameter from its value.
<br />
The first parameter you should
configure is the log_level parameter.
</div>
<br />
<table border="1" cellpadding="1"
cellspacing="0" >
<tr>
<td>
<strong>log_level</strong>
</td>
<td>
<strong>Description</strong>
</td>
</tr>
<tr>
<td>
0
</td>
<td>
No Logging
</td>
</tr>
<tr>
<td>
1
</td>
<td>
Log unusual
errors - This is the default
</td>
</tr>
<tr>
<td>
2
</td>
<td>
Log all
authentication errors
</td>
</tr>
<tr>
<td>
3
</td>
<td>
Log nonfatal
warnings
</td>
</tr>
<tr>
<td>
4
</td>
<td>
More verbose
than 3
</td>
</tr>
<tr>
<td>
5
</td>
<td>
More verbose
than 4
</td>
</tr>
<tr>
<td>
6
</td>
<td>
Log traces of
internal protocols
</td>
</tr>
<tr>
<td>
7
</td>
<td>
Log traces of
internal protocols, including passwords
</td>
</tr>
</table>
<br />
<div>
While you configure and test
SASL, you should set the log level at at least 3.
<br />
# Global Parameters
<br />
<span class="cmd">log_level:
3</span>
<br />
<span
class="cmd">pwcheck_method: saslauthd</span>
<br />
<span class="cmd">mech_list:
PLAIN LOGIN</span>
<br />
<br />
Run <span class="cmd">saslauthd
-v</span> to get a list of authentication backends that your saslauthd supports.
<br />
<table border="1"
cellpadding="1" cellspacing="0" width="600" >
<tr>
<td>
ANONYMOUS
</td>
<td>
The
ANONYMOUS mechanism was designed to allow any client to relay.
Do Not
Use This.
</td>
</tr>
<tr>
<td>
CRAM-MD5,DIGEST-MD5
</td>
<td>
The
Cyrus SASL library supports two "shared secret" mechanisms:
CRAM-MD5 and its successor, DIGEST-MD5.
These
methods rely on the client and the server sharing a secret, usually a password.
The
server creates a challenge based on the the secret, and the client responds,
providing that it knows the shared secret.
This is
much more secure than simpy sending an unencrypted password over a network,
but the
server still needs to store the secret.
</td>
</tr>
<tr>
<td>
PLAIN,LOGIN
</td>
<td>
Uses
base64-encoded plaintext.
Using
this without TLS encryption is a security risk.
</td>
</tr>
</table>
<br />
Create the state directory for
saslauthd to store a socket and PID file.
<br />
Run <span class="cmd">saslauthd
-a shadow -d</span>, and look for the run_path.
<br />
The -d is for debug.
<br />
The run_path is where saslauthd
will attempt to create a socket.
<br />
If the directory does not
exist, create it and make it accessible only to root.
<br />
I created it like this
<br />
<span class="cmd">mkdir
/var/run/saslauthd</span>
<br />
<span class="cmd">chown
root:postfix /var/run/saslauthd</span>
<br />
<span class="cmd">chmod 750
/var/run/saslauthd</span>
<br />
<br />
You can tell the saslauthd
daemon what directory to create the socket file in with the -m option such as
<br />
<span class="cmd">saslauthd -m
/var/run/saslauthd -a shadow</span>
<br />
<br />
Edit the smtp.conf again, and
add the path of the SASL socket
<br />
# saslauthd parameters
<br />
<span
class="cmd">saslauthd_path: /var/run/saslauthd/mux</span>
<br />
<br />
Create the postfix SASL
configuration file.
<br />
I just created a link to the
smtpd.conf.
<br />
<span class="cmd">cd
/usr/lib/sasl2</span>
<br />
<span class="cmd">ln -s
smtpd.conf sample.conf</span>
<br />
<span class="cmd">ln -s
/usr/local/lib/libsasl2.so.2 /usr/lib/libsasl2.so.2</span>
<br />
<br />
Start saslauthd
<br />
<span class="cmd">saslauthd -m
/var/run/saslauthd -a shadow</span>
</div>
</li>
<br />
<li>
Download PCRE <a
href="http://www.pcre.org/"; >pcre.org</a>
<div class="cmd" >
./configure
</div>
<div class="cmd" >
make
</div>
<div class="cmd" >
make test
</div>
<div class="cmd" >
make install
</div>
</li>
<br />
<li>
Download OpenSSL <a
href="http://www.openssl.org/"; >openssl.org</a>
<div class="cmd" >
./config
</div>
<div class="cmd" >
make
</div>
<div class="cmd" >
make test
</div>
<div class="cmd" >
make install
</div>
</li>
<br />
<li>
Download Postfix
<a href="http://www.postfix.org/";
>postfix.org</a>
<br />
Create the users postfix will run as.
<br />
I created a postfix user and a postdrop
user
<br />
<div class="cmd" >
useradd postfix
</div>
<div class="cmd" >
useradd postdrop
</div>
<br />
<div>
Turn off the shell for these
users.
</div>
<div class="cmd" >
vi /etc/passwd
</div>
Change the postfix and postdrop shell
to <span class="cmd" >/bin/false</span>
<br />
<br />
Make The Makefiles - I used the
following command.
<br />
<span class="cmd" >make tidy</span>
- Only if you have made it before
<br />
<div class="cmd" >
make makefiles
CCARGS="-DUSE_TLS -I/usr/local/ssl/include -DUSE_SASL_AUTH -DUSE_CYRUS_SASL
-I/usr/local/include/sasl" AUXLIBS="-L/usr/local -lssl -lcrypto
-L/usr/local/lib -lsasl2"
</div>
<div class="cmd" >
make
</div>
<div class="cmd" >
make install or make upgrade
</div>
<br />
Edit /etc/postfix/main.cf
<br />
<br />
<div>
# The myhostname parameter
specifies the internet hostname of this
<br />
# mail system. The default is
to use the fully-qualified domain name
<br />
# from gethostname().
$myhostname is used as a default value for many
<br />
# other configuration
parameters.
<br />
<span class="cmd" >myhostname =
mail.example.com</span>
<br />
<br />
# The mydomain parameter
specifies the local internet domain name.
<br />
# The default is to use
$myhostname minus the first component.
<br />
# $mydomain is used as a
default value for many other configuration parameters.
<br />
<span class="cmd" >mydomain =
example.com</span>
<br />
<br />
# The mydestination parameter
specifies the list of domains that this
<br />
# machine considers itself the
final destination for.
<br />
<span class="cmd"
>mydestination = $mydomain</span>
<br />
<br />
# The myorigin parameter
specifies the domain that locally-posted
<br />
# mail appears to come from.
The default is to append $myhostname,
<br />
# which is fine for small sites.
<br />
<span class="cmd" >myorigin =
$mydomain</span>
<br />
<br />
Start postfix
<div class="cmd" >
postfix start
</div>
<br />
Send a test message
<div class="cmd" >
echo foo |
/usr/sbin/sendmail -f root root && tail -f /var/log/maillog
</div>
<br />
<br />
</li>
<li>
<div>
Configure Postfix To
Use Cyrus SASL
</div>
<br />
Make sure postfix has been
compiled with SASL support.
<br />
Run <span class="cmd">ldd
`postconf -h daemon_directory`/smtp</span>
<br />
And look for libsasl2.so.2 =>
/usr/lib/libsasl2.so.2 in the output
<br />
<br />
Enable SASL in postfix
<br />
Add <span class="cmd">smtpd_sasl_auth_enable =
yes</span> to /etc/postfix/main.cf
<br />
Decide what SASL security options posstfix should offer
<br />
<span class="cmd">smtpd_sasl_security_options = <span
class="user_spec">options</span></span>
<br />
The options are:
<br />
<table border="1"
cellpadding="1" cellspacing="0" width="600" >
<tr>
<td>
noanoymous
</td>
<td>
make
sure to list this one so that your machine is not an open relay
</td>
</tr>
<tr>
<td>
noplaintext
</td>
<td>
this
excludes all plain text authentication
</td>
</tr>
<tr>
<td>
noactive
</td>
<td>
this
excludes SASL mechanisms that are suseptible to active attacks
</td>
</tr>
<tr>
<td>
nodictionary
</td>
<td>
this
excluds all mechanisms that can be broken with brute force
</td>
</tr>
<tr>
<td>
mutual_auth
</td>
<td>
allows
only mechanisms that provide mutual authentication.
</td>
</tr>
<tr>
<td colspan="2"
>
I allow
plain text login because I first require an ssl connection.
</td>
</tr>
</table>
Add <span class="cmd">broken_sasl_auth_clients =
yes</span> to the main.cf to allow Microsoft Clients to connect.
<br />
<br />
<br />
</li>
<li>
<div>
TLS Configuration
<div>
<br />
<a
href="http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html";>http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html</a>
</div>
<div>
TLS (formerly SSL)
stands for Transport Layer Security.
<br />
Once this layer is
established, it encrypts the communication between two hosts.
<br />
If we use SMTP AUTH and
the mechanisms PLAIN or LOGIN usernames and passwords are sent plaintext over
the internet.
<br />
This means that anyone
could sniff the communication and read the passwords.
<br />
If you don't want this
- we bet you don't - you can use TLS to help.
</div>
Make sure postfix has been
compiled with ssl support
<div class="cmd" >
ldd
/usr/libexec/postfix/smtpd
</div>
Look for libssl.so.2 in the
output
<br />
<br />
Create The Certificate And Keys
<div class="cmd" >
cd /usr/local/ssl
<br />
cd misc
<br />
cp CA CA_nodes
<br />
vi CA_nodes
</div>
<br />
Add "-nodes" to two of the
lines in CA_nodes
<br />
# create a certificate
<br />
$REQ -new <span
class="cmd">-nodes</span> -x509 -keyout newreq.pem -out newreq.pem $DAYS
<br />
# create a certificate request
<br />
$REQ -new <span
class="cmd">-nodes</span> -keyout newreq.pem -out newreq.pem $DAYS
<br />
<br />
Make yourself a Certificate
Authority CA.
<div class="cmd">
./CA_nodes -newca
</div>
<br />
Make the certificate
<div class="cmd">
./CA_nodes -newreq
</div>
<br />
Sign The Certificate
<div class="cmd">
./CA_nodes -sign
</div>
<br />
<div class="cmd">
mkdir /etc/postfix/certs
<br />
cp newreq.pem
/etc/postfix/certs/postfix_private_key.pem
<br />
cp newcert.pem
/etc/postfix/certs/postfix_public_cert.pem
<br />
cp demoCA/cacert.pem
/etc/postfix/certs/
</div>
<br />
Add the following to
/etc/main.cf
<br />
<br />
<div>
# START TLS OR SSL
SUPPORT FOR CLIENTS
<br />
smtpd_use_tls = yes
<br />
smtpd_tls_auth_only =
yes
<br />
smtpd_tls_key_file =
/etc/postfix/certs/postfix_private_key.pem
<br />
smtpd_tls_cert_file =
/etc/postfix/certs/postfix_public_cert.pem
<br />
smtpd_tls_loglevel = 0
<br />
# END TLS OR SSL
SUPPORT FOR CLIENTS
</div>
<br />
<div>
Test out your email
with SASL and TLS
</div>
</div>
</li>
<br />
<li>
SpamAssassin
<div class="cmd" >
cpan
<br />
install Mail::SpamAssassin
</div>
</li>
<br />
<li>
ClamAV <a
href="http://www.clamav.net/";>http://www.clamav.net/</a>
<div class="cmd">
./configure
<br />
make
<br />
make install
</div>
<div class="cmd">
useradd clamav
</div>
Make a log file for clamd
<div class="cmd" >
touch /var/log/clamd.log
<br />
vi /usr/local/etc/clamd.conf
</div>
<br />
Comment out the Example line at the top
and turn on LogTime
<br />
<br />
FreshClam comes with ClamAV - It is
used to get the new virus definition files
<br />
Make a log file for freshclam
<div class="cmd" >
touch /var/log/freshclam.log
<br />
vi /usr/local/etc/freshclam.conf
</div>
<br />
Comment out the Example line at the top
<br />
DatabaseDirectory
/usr/local/share/clamav
<br />
UpdateLogFile /var/log/freshclam.log
<br />
DatabaseMirror db.us.clamav.net
<br />
DatabaseMirror database.clamav.net
<br />
<br />
Make the FreshClam cron to update the
virus definition file automatically
<div class="cmd" >
crontab -e
<br />
50 */3 * * *
/usr/local/bin/freshclam --quiet
</div>
<br />
Create a cron to cleanup the old spam
<br />
Put the following in
/usr/share/custom/virusemail_cleanup.sh
<br />
vi
/usr/share/custom/virusemail_cleanup.sh
<br />
<br />
#!/bin/sh
<br />
# delete virus/spam emails older than 7
days
<br />
find /var/virusmails -mtime +6 -exec rm
-f {} \;
<br />
<br />
<div class="cmd" >
crontab -e
<br />
0 2 * * *
/usr/share/custom/virusemail_cleanup.sh
</div>
</li>
<br />
<li>
Amavisd-New
<div class="cmd" >
useradd amavis
<br />
mkdir /var/amavis
<br />
mkdir /var/amavis/tmp
/var/amavis/var /var/amavis/db /var/amavis/home
<br />
chown -R amavis:amavis
/var/amavis
<br />
chmod -R 750 /var/amavis
<br />
cp amavisd /usr/local/sbin
<br />
chown root
/usr/local/sbin/amavisd
<br />
chmod 755
/usr/local/sbin/amavisd
<br />
cp amavisd.conf /etc/
<br />
chown root /etc/amavisd.conf
<br />
chmod 644 /etc/amavisd.conf
<br />
mkdir /var/virusmails
<br />
chown amavis:amavis
/var/virusmails
<br />
chmod 750 /var/virusmails
<br />
vi /etc/amavisd.conf
<br />
</div>
<br />
$max_servers = 2;
<br />
$daemon_user = 'amavis';
<br />
$daemon_group = 'amavis';
<br />
$mydomain = 'example.com';
<br />
$MYHOME = '/var/amavis';
<br />
$TEMPBASE = "$MYHOME/tmp";
<br />
$ENV{TMPDIR} = $TEMPBASE;
<br />
$QUARANTINEDIR = '/var/virusmails';
<br />
<br />
Attempt to start amavis-new in debug
mode
<div class="cmd">
amavisd debug
</div>
Use cpan to get the perl modules you
need
<br />
<br />
Required Perl Modules
<br />
<div>
Archive::Tar (Archive-Tar-x.xx)
<br />
Archive::Zip (Archive-Zip-x.xx) (1.14
or later should be used!)
<br />
Compress::Zlib (Compress-Zlib-x.xx)
(1.35 or later)
<br />
Convert::TNEF (Convert-TNEF-x.xx)
<br />
Convert::UUlib (Convert-UUlib-x.xxx)
(1.05 or later, stick to new versions!)
<br />
MIME::Base64 (MIME-Base64-x.xx)
<br />
MIME::Parser (MIME-Tools-x.xxxx)
(latest version from CPAN - currently 5.417)
<br />
Mail::Internet (MailTools-1.58 or later
have workarounds for Perl 5.8.0 bugs)
<br />
Net::Server (Net-Server-x.xx)
(version 0.88 finally does setuid right, DO NOT USE VERSION .91 ! )
<br />
Net::SMTP (libnet-x.xx,
ports/net/p5-Net) (>= libnet-1.16 for performance)
<br />
Digest::MD5 (Digest-MD5-x.xx) (2.22
or later)
<br />
IO::Stringy (IO-stringy-x.xxx)
<br />
Time::HiRes (Time-HiRes-x.xx) (use
1.49 or later, older can cause problems)
<br />
Unix::Syslog (Unix-Syslog-x.xxx)
<br />
BerkeleyDB with bdb library 3.2 or
later (4.2 or later preferred)
<br />
<br />
Optional Perl modules:
<br />
Mail::SpamAssassin for doing
spam scanning (2.64 or 3.0.4 or >=3.1)
<br />
DBI with appropriate DBD::* if using
SQL lookups
<br />
Net::LDAP if using
LDAP lookups
<br />
Authen::SASL authenticating on
mail forwarding and on submitting DSN
<br />
Mail::ClamAV Perl module
interface to ClamAV library
<br />
SAVI Perl module
interface to Sophos library (0.30 or later)
</div>
<br />
After you get all the perl modules
start amavisd-new
<div class="cmd">
amavisd
</div>
</li>
<br />
<li>
Configure Postfix to use amavised-new
<div class="cmd">
vi /etc/postfix/master.cf
</div>
Make it look like this
<br />
<hr />
<pre>
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
amavisd-new unix - - n - 2 smtp
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
</pre>
<hr />
<br />
Edit main.cf to use amavisd-new
<div class="cmd">
vi /etc/postfix/main.cf
</div>
Add the following
<br />
<br />
# amavisd-new is the program that
communicates with external spam programs like spamassassian
<br />
# comment out this line to turn off
filtering mail with spamassassian
<br />
content_filter =
amavisd-new:[127.0.0.1]:10024
<br />
</li>
<br />
<li>
Make postfix start at boot time, and
turn off sendmail at boot time
<div class="cmd">
chkconfig --list sendmail
<br />
chkconfig --del sendmail
<br />
vi /etc/rc.d/rc.local
<br />
/usr/sbin/saslauthd -m
/var/run/saslauthd -a shadow
<br />
/usr/local/sbin/amavisd
<br />
/usr/local/bin/freshclam --quiet
<br />
</div>
</li>
<br />
<li>
Watch The Error Log And Test Test Test
- Thanks For Playing
</li>
</ol>
</div>
</body>
</html>
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
