Full Mail Server Solution w/ Virtual Domains & Users (Debian Etch, Postfix, Mysql, Dovecot, DSpam, ClamAV, Postgrey, RBL) Page 11

B. Secure Postfix+TLS

To begin with, we’re going to need to install postfix on
secure-mail.example.com. This particular
install doesn’t need quota support (It doesn’t
handle local delivery), but just to keep things
simple, we’re going to install it the same way we did above:

# dpkg -i postfix_2.3.8-2_i386.deb
# dpkg -i postfix-mysql_2.3.8-2_i386.deb

If/when the auto-configuration asks you questions about
postfix during the installation, just select “No
Configuration”

dpkg is going
to install all of the configuration files for Postfix into /etc/postfix, so go there, and
create the file main.cf:

# cd /etc/postfix
# touch main.cf

The main.cf file can be edited using two different methods.
You can use your favorite text editor, or you can use the built-in
postfix toolpostconf.
We’ve already used postconf
once to determine our
version in subsection IV.A above.

The real benefit of the postconf tool is that it has some
built in error checking, and it eliminates the possibility of
‘weirdness’ due to carriage returns, line feeds, odd quotes, etc. We’ll
be using it in this guide, but there really is no requirement.

Start by filling in the basic information:

# postconf -e ‘myhostname = secure-mail.example.com’
# postconf -e ‘smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)’
# postconf -e ‘biff = no’
# postconf -e ‘append_dot_mydomain = no’
# postconf -e ‘myorigin = example.com’
# postconf -e ‘inet_interfaces = all’
# postconf -e ‘local_recipient_maps =’
# postconf -e ‘local_transport = error:local mail delivery is disabled’
# postconf -e ‘smtpd_recipient_restrictions =
permit_sasl_authenticated, reject’

You’ll notice that this time we disabled local delivery.
 Since this is basically just an outbound relay server, we
don’t want it trying to ‘deliver’
any mail… just send it forward.  We also set the SMTP server
to only permit SASL authenticated sessions, and reject any other
sessions.

Now we’ll want to fill in the information for SASL (SMTP
Authentication). This does
NOT encrypt the connection, it just requires the users to log in:

# postconf -e ‘smtpd_sasl_auth_enable = yes’
# postconf -e ‘smtpd_sasl_security_options = noanonymous’
# postconf -e ‘broken_sasl_auth_clients = yes’
# postconf -e ‘smtpd_sasl_type = dovecot’
# postconf -e ‘smtpd_sasl_path = private/auth’

So now your postfix install will query dovecot for all of it’s
authentication needs, but it’s still
not encrypted. Let’s go ahead and change that…

# postconf -e ‘smtpd_tls_cert_file =
/etc/ssl/example.com/mailserver/mail-cert.pem’
# postconf -e ‘smtpd_tls_key_file =
/etc/ssl/example.com/mailserver/mail-key.pem’
# postconf -e ‘smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_session_cache’
# postconf -e ‘smtpd_tls_security_level = encrypt’
# postconf -e ‘smptd_tls_received_header = no’
# postconf -e ‘smtpd_tls_loglevel = 0′
# postconf -e ‘tls_random_source = dev:/dev/urandom’

Go ahead and reload postfix…

# postfix reload

And then let’s get Dovecot up and running…

This page is licensed under a Creative Commons License.