INSTALLING POSTFIX

FROM SOURCE

see postfix.source

NETBSD INSTALL

it is built-in. if you want a newer version, Postfix builds on NetBSD as well.

echo $PKG_PATH
pkg_add py37-spf py37-policyd-spf
which policyd-spf

grep ^postfix /etc/defaults/rc.conf

DEBIAN/UBUNTU INSTALL

export DEBIAN_FRONTEND=noninteractive
apt -y install postfix bsd-mailx postfix-policyd-spf-python
#mailutils pmailq rsyslog

systemctl status postfix

SYSTEM-WIDE SETUP

give a name to your root account (something that helps identify the system)

vipw

root@mx

proceed with system-wide mail setup (BSD)

cd /etc/mail/
mv aliases aliases.dist
sed '/^#/d; /^$/d' aliases.dist > aliases
vi aliases

root:           ADMIN

newaliases
tail -F /var/log/maillog &
date | mail -s `uname -n` root
fg
^C

note the abuse mail alias is defined by default.

START CLEAN

cd /etc/postfix/
#sed '/^#/d; /^$/d' main.cf.proto > main.cf
#sed '/^#/d; /^$/d' master.cf.proto > master.cf
mv main.cf main.cf.dist
mv master.cf master.cf.dist
sed '/^#/d; /^$/d' main.cf.dist > main.cf
sed '/^#/d; /^$/d' main.cf.dist > main.cf.dist.clean
sed '/^#/d; /^$/d' master.cf.dist > master.cf
sed '/^#/d; /^$/d' master.cf.dist > master.cf.dist.clean

ANTI-SPAM SETUP

eventually proceed with a hardened anti-spam setup

CHROOT TIMEZOME

ll /etc/localtime
ll /var/spool/postfix/etc/localtime
diff /etc/localtime /var/spool/postfix/etc/localtime
cp -f /etc/localtime /var/spool/postfix/etc/localtime
ll /var/spool/postfix/etc/localtime

READY TO GO

now enable port 25

vi /etc/postfix/master.cf

smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=no

OPERATIONS & ACCEPTANCE

finally operate and proceed with acceptance testing

STARTTLS

either get some certs or self-sign. i guess self-signed certs is all good for SMTP – no MX in the world does care about it.

openssl s_client -starttls smtp -crlf -connect lists.xenproject.org.us1.protection.inumbo.com:25 </dev/null

subject=/O=Inumbo/CN=inumbo.com/C=AU/ST=Some-State
issuer=/O=Inumbo/CN=inumbo.com/C=AU/ST=Some-State

SSL handshake has read 1564 bytes and written 335 bytes
Verification error: self signed certificate

same for mail.netbsd.org and smtp-in.orange.fr but at least those have a matching FQDN. yes the world is lazy. we are too.

vi /etc/postfix/main.cf

#inbound
#smtpd_tls_cert_file = /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem
#smtpd_tls_key_file = /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem
smtpd_tls_cert_file = /etc/openssl/selfsign.cer
smtpd_tls_key_file = /etc/openssl/selfsign.key
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_security_level = encrypt
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

#outbound
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

more

#smtp_enforce_tls (default: no)
#--> smtp_tls_security_level
#smtp_tls_security_level (default: empty)
#smtp_tls_enforce_peername (default: yes)

and check remotely

DNS & SPF

setup the MX and SPF DNS records and enable the feature

vi /etc/postfix/main.cf

smtpd_client_restrictions = permit_mynetworks,
        check_policy_service unix:private/policy,
        ...

vi /etc/postfix/master.cf

policy    unix  -       n       n       -       0       spawn
  user=nobody argv=/usr/pkg/bin/policyd-spf

SASL

add login method and auth socket

vi dovecot.conf

auth_mechanisms = plain cram-md5 login

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = wheel
  }
}

restart Dovecot and check

ls -lkF /var/spool/postfix/private/auth

now enable it on Postfix

vi master.cf

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_helo_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

not sure this is required

vi main.cf

#
# SASL  
#
smtpd_sasl_type = dovecot 
smtpd_sasl_path = private/auth 
smtpd_sasl_auth_enable = yes 
smtpd_sasl_security_options = noanonymous, noplaintext 
smtpd_sasl_tls_security_options = noanonymous 
smtpd_tls_auth_only = yes 
#broken_sasl_auth_clients = yes 

and eventually add permit_sasl_authenticated, at every step of the anti-spam chapters.

http://www.postfix.org/SASL_README.html

ADDITIONAL NOTES

BACKUP MX

play with relay_domains, transport_maps and do NOT list example.com into mydestination

FAIL2BAN

eventually enable Fail2ban as an attempt to protect yourself from bot nets.

TODO mariadb mappings

RESOURCES

INSTALL & SETUP

man 5 postconf / http://www.postfix.org/postconf.5.html

man 5 master / http://www.postfix.org/master.5.html

Postfix Installation From Source Code http://www.postfix.org/INSTALL.html

master - Postfix master process configuration file format http://www.postfix.org/master.5.html

NETBSD

NetBSD mail server with Postfix, BIND (for DNS), Dovecot, Pigeonhole (Sieve), SSL, DKIM and SPF http://silas.net.br/tech/apps/netbsd-mailserver.html

Complete (almost) Mail Server with NetBSD https://www.tumfatig.net/20101226/complete-almost-mail-server-with-netbsd/

STARTTLS

Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS

Postfix TLS Support http://www.postfix.org/TLS_README.html

TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html

Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error

BACKUP MX

Setting Up Postfix As A Backup MX https://www.howtoforge.com/postfix_backup_mx

Configuring Postfix as backup MX host https://www.akadia.com/services/postfix_mx_backup.html

Postfix as backup MX http://www.linuxlasse.net/linux/howtos/Postfix_as_backup_MX


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml