180 likes | 314 Views
Mailserver. Why Postfix ?. Sendmail’s legacy Built from ground up Central queue-ing More future-proof Exim4 default of debian, but. Terms . SMTP (Simple Mail Transfer Protocol ) MTA (Postfix, Exim4, Sendmail, ... ) MDA (POP3, IMAP4, ...) MX – record FQDN. Dangers.
E N D
Why Postfix ? Sendmail’s legacy Built from ground up Central queue-ing More future-proof Exim4 default of debian, but ...
Terms • SMTP (Simple Mail Transfer Protocol ) • MTA (Postfix, Exim4, Sendmail, ... ) • MDA (POP3, IMAP4, ...) • MX – record • FQDN
Dangers UBE (Unsollicited Bulk Emailers) UCE (Unsollicited Commercial Emailers) Open Relay
Fresh copy of debian ! ( ) Desktop Environment ( ) Web Server ( ) Print Server ( ) DNS Server ( ) File Server ( ) Mail Server ( ) SQL database ( ) manual package selection Just proceed here as usual, installing a basic system More info in the book on page 106
Prepare system # apt-get remove lpr nfs-common portmap pidentd pcmcia-cs pppoe \ pppoeconf ppp pppconfig Now, disable some service scripts: # update-inetd --remove daytime # update-inetd --remove telnet # update-inetd --remove time # update-inetd --remove finger # update-inetd --remove talk # update-inetd --remove ntalk # update-inetd --remove ftp # update-inetd --remove discard and restart the inetd superserver: # /etc/init.d/inetd reload
/etc/hosts <jouw-ip> mail.jouwvoornaam.be
Install Postfix and libraries apt-get install postfix postfix-doc postfix-tls libsasl2-2 sasl2-bin libsasl2-modules Choose “Internet Site”, also for local delivery Answer “NONE” if it asks where root’s mail should be delivered Insert your FQDN
/etc/postfix/main.cf smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no append_dot_mydomain = no myhostname = mail.voornaam.be mydomain = voornaam.be myorigin = $mydomain inet_interfaces = all mydestination = $mydomain, localhost.$mydomain, localhost mynetworks = 172.16.99.0/24 More detailed information on p108-109
Test mail ~$echo “This will go into the body of the mail.” | mail -s “Hello world” root@voornaam.be Check delivery with tail /var/log/mail.log Mar 3 15:20:07 debian postfix/qmgr[3777]: 3F452340B1: from=<root@philippe.be>, size=349, nrcpt=2 (queue active) Mar 3 15:20:07 debian postfix/local[3827]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled Mar 3 15:20:07 debian postfix/local[3818]: 3F452340B1: to=<user@philippe.be>, orig_to=<root@philippe.be>, relay=local, delay=0.06, delays=0.03/0/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox) Mar 3 15:20:07 debian postfix/local[3827]: 3F452340B1: to=<world?@philippe.be>, orig_to=<world?>, relay=local, delay=0.06, delays=0.03/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: "world?") Mar 3 15:20:07 debian postfix/cleanup[3814]: 4A51B340B2: message-id=<20100303142007.4A51B340B2@mail.philippe.be> Mar 3 15:20:07 debian postfix/bounce[3819]: 3F452340B1: sender non-delivery notification: 4A51B340B2 Mar 3 15:20:07 debian postfix/qmgr[3777]: 4A51B340B2: from=<>, size=2085, nrcpt=1 (queue active) Mar 3 15:20:07 debian postfix/qmgr[3777]: 3F452340B1: removed Mar 3 15:20:07 debian postfix/local[3818]: 4A51B340B2: to=<user@philippe.be>, orig_to=<root@philippe.be>, relay=local, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) Mar 3 15:20:07 debian postfix/qmgr[3777]: 4A51B340B2: removed
SASLAUTHD Postfix runs with limited privileges PAM restricts Postfix to verify authentication Saslauthd runs as superuser under the Postfix process Limited security risks
/etc/postfix/main.cf Add following lines in the postfix config : smtpd_sasl_local_domain = $myhostname smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
Create SASL config # mkdir -p /etc/postfix/sasl # cd /etc/postfix/sasl Create the smtpd.conf file with these two lines: pwcheck_method: saslauthd mech_list: plain login You can now restart Postfix: # postfix reload
Configure saslauthd 1. Create the necessary directory for the daemon: # mkdir -p /var/spool/postfix/var/run/saslauthd 2. Edit /etc/default/saslauthd to activate saslauthd. Remove the comment marker (#) from the line START=yes, then add the line: PARAMS="-m /var/spool/postfix/var/run/saslauthd -r" 3. Your file should now look like this: # This needs to be uncommented before saslauthd will be run automatically START=yes PARAMS="-m /var/spool/postfix/var/run/saslauthd -r" # You must specify the authentication mechanisms you wish to use. # This defaults to "pam" for PAM support, but may also include # "shadow" or "sasldb", like this: # MECHANISMS="pam shadow" MECHANISMS="pam“ 4. Next, edit /etc/init.d/saslauthd to change the location of saslauthd’s process ID file. Change the value of PIDFILE to the following: PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid“ 5. Start saslauthd: # /etc/init.d/saslauthd start
Test with saslauthd Now test again the mail delivery and see what the difference is in the mail.log when you deliver to a known user and an unknown user.... Next week encryption and more ....