I got a server certificate from cacert.org, so want to have
postfix use TLS for authorizing smtp sending from my usual IP,
and later add mobile independent of IP address sending with client certificates.
For now, I just want to enable TLS with clear text passwords on IMAP email
accounts.
Following the http://www.postfix.org/SASL_README.html
I installed sasl2 on my debian server,
and confirmed testsaslauthd -u username -p password
0: OK "Success."
reading http://www.postfix.org/TLS_README.html
I did some config settings, and concatenated cacert public certificates together
first my server-cert, then intermediate cacert, then root cacert,
and point to it with:
smtp_tls_cert_file = /etc/ssl/certs/tls-mail.cibolo.us.pem
I restarted everything I could think of, and get this in the logs:
Apr 21 14:30:01 mail postfix/master[22533]: reload -- version 2.9.3,
configuration /etc/postfix
.
.
Apr 21 14:31:15 mail postfix/smtpd[22960]: warning: No server certs available.
TLS won't be enabled
postconf:
vking@mail:~$ postconf -n
-bash: postconf: command not found
vking@mail:~$ sudo postconf -n
alias_database = cdb:/etc/aliases
alias_maps = cdb:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 2d
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
default_destination_concurrency_limit = 4
default_process_limit = 40
delay_warning_time = 1h
mailbox_size_limit = 80000000
maximal_queue_lifetime = 3d
message_size_limit = 15360000
minimal_backoff_time = 2500
mydestination = localhost localhost.cibolo.us metalartists.org
mydomain = cibolo.us
myhostname = mail.cibolo.us
mynetworks = 76.191.252.85 127.0.0.0/8
myorigin = /etc/mailname
notify_classes = resource, software
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/ssl/certs/cacert.org.class3.crt
smtp_tls_cert_file = /etc/ssl/certs/tls-mail.cibolo.us.pem
smtp_tls_key_file = /etc/ssl/private/mail.cibolo.us_privatekey.pem
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = reject_unknown_reverse_client_hostname
smtpd_error_sleep_time = 2
smtpd_hard_error_limit = 8
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access cdb:/etc/postfix/helo_access, reject_non_fqdn_hostname,
reject_invalid_hostname, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access cdb:/etc/postfix/sender_access,
check_recipient_access cdb:/etc/postfix/recipient_access, reject_unknown_sender_domain, reject_non_fqdn_recipient,
check_client_access cdb:/etc/postfix/access_client_ipaddr_checks, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mail.cibolo.us
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 2
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf,
hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1999
virtual_transport = virtual
virtual_uid_maps = static:2000
