Postfix on debian as mailserver to just send mails

Problem

We want to send mails, using SSL authentication, from a client (a bot or a mail system) to a
server with debian and postfix that then will queue locally the mail and will send them on the behalf
of the clients.

So we want a server with debian , postfix and ssl/sasl authentication.

Solution

Resources

Installation

Given a debian installation with basic utilities and ssh server,
assuming that the firewall works is already in place to let in and out network requests,
we need to install some packages for postfix itself and the ssl/sasl authentication.
apt-get install libsasl2-modules postfix sasl2-bin

When we install postfix, we can choose internet site ad just giving the name equal to the
fqdn of the debian server itself.

Configuration

Now is the turn to configure postfix. The postfix configuration is in /etc/postfix/main.cf .
/etc/postfix/main.cf defines the values (otherwise dafaulted as shown by the command postconf -d ) for the postfix
installation. Postfix will fill some values due to the internet-site choice done before.
Another configuration is in /etc/postfix/master.cf where we could define which services
has to run, with which options (we could override the options set in /etc/postfix/main.crf using the
switch -o parameter = value ) and to which ip/port we will bind the services.

We will assume that the fqdn of the machine is mx.domain.org and we want to send the mail
with the account moc.tset|tuoliam#moc.tset|tuoliam, that is: we want to send mails with a different domain
of the mailserver.

The /etc/postfix/main.cf is the following:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

#
#
# general options
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
  #unmodiefied
biff = no
  #unmodified

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no
  #we do not need readmes

#
#
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/domain.org/ssl.crt
smtpd_tls_key_file  = /etc/ssl/domain.org/ssl.key
smtpd_tls_CAfile    = /etc/ssl/domain.org/intermediate.crt
  #certifications placed in the directory /etc/ssl/domain.org/
  # to allow TLS /SSL secure communications.

smtpd_use_tls = yes
  # allow the possibility to use SSL/TLS for sending.
smtp_use_tls = yes
  # allow the possibility to use SSL/TLS for sending.
  # mails conne3ct, as smtp client, to another system.
  # Not needed at all.
#smtpd_tls_auth_only = yes
  # allow sending !!only!! with the SSL/TLS security

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
  # the file smtp_scache (and the other equivalent) will be created in the ${data_directory}
  # (to see the value of ${data_directory} check 'postconf -d' )
  # and will be created as 'database' managed by postfix itself (without the need of
  # other databases) as btree.

#
#
# SASL SUPPORT
#smtp_sasl_auth_enable = yes
  # allow SASL authentication as normal smtp client, this will cause a bit of trouble
  # with a *sasl_smtp_sasl_password_maps =* parameter. Not needed for a server
smtpd_sasl_auth_enable = yes
  # allow SASL authentication on the smtp deamon for receiving mails.

# Default: noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
  # just the same security options with smtp submission with or without
  # TSL secure communications but with SASL authentication.

smtpd_sasl_local_domain =
  # be careful of writing this, because else
  # the default values will be used. In this way the local domain is empty
  # so it is not that the mail sent to someone@domain.og will finish on this machine.
  # Without any value the mail will be sent out (rrelayed / forwarded)

#cyrus smptd.conf file in /etc/postfix/sasl/smtpd.conf
smtpd_sasl_path = smtpd
  # with will be the name of the file searched for sasl configuration
  # mostly in /etc/postfix/sasl/smtpd.conf

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

#
#
# other general mail options (mostly default)
myhostname = mx.domain.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mx.domain.org, localhost.domain.org, localhost
  # this will define which mails has to end on the mailserver
  # (eventually causing errors if the user is not defined on the mailserver)
  # for example username@mx.domain.org.
  # Therefore do not include domains for mails that should be sent out from this server.
relayhost =
  # this server is the relay itself.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
  # Unlimited messages in the mail
  # Since this is a mail server that will just foward out messages,
  # the mailbox will be always empty, except for local generated messages.
  # And the mailqueue could relay on the filesystem unless the traffic
  # generated is quite high. In that case search on the internet for
  # filesystems that handle thousands of files without problems.
  # Ext4, ext3 with the option '-O dir_index' or xfs seems good,
  # but XFS journal is less failsafe and moreover is very slow when it
  # comes to deletion.
message_size_limit = 52428800
  # 50 Mb max for message
recipient_delimiter = +
inet_interfaces = all

#
#
#
#--- Prüfungen ---# Checks
#http://www.postfix.org/SASL_README.html

#not used for now because this server is the relay itself.
#smtpd_relay_restrictions =
# permit_mynetworks
# permit_sasl_authenticated
# reject_unauth_destination

smtpd_recipient_restrictions =
 permit_mynetworks
 permit_sasl_authenticated
 reject_unauth_destination
 # this will allow mail submission only if
 # the message comes from mynetworks
 # or from a sasl authenticated user
 # or it will be rejected.

Notes: no databases

For queueing /saving mails, not databases are specified. We rely on the filesystem
(this is ok until the mails to queue/save gets in the order of several millions).
Of course proper filesystems has to be chosen, like:

  • ext3 with dir_index option.
  • ext4
  • XFS with more security because xfs is not so failsafe in case of power outage.

Configuration: SASL simple authentication.

For the SASL authentication we want to be simple, using the
/etc/shadow file, that is: the normal authentication file of linux.

For using the sasl auth we will use the cyrus component, already included (in most of
the cases) with postfix and the saslauthd that is installed with the packages
used for the first installation.

The config file for the sasl auth is in /etc/postfix/sasl/smtpd.conf if the previous
/etc/postfix/main.cf holds. The content is the following:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
  # It means that the auth code can be passed as plaintext (normally base64 encoded)
  # or through the smtp login procedure.

It is not ended here. We need ot add the user with the authentication.
If we want to send mail from mailout@test.com from the system
mx.domain.org we need to add the user mailout to the debian system.

useradd mailout
  #add the user
passwd mailout
  # put the password of the user
  # that will be used for the smtp login

So, even if the user will be from another domain, what matters is the name and the password,
the @test.com so far is not discriminating the login (more knowledge is needed on this point).

Then we need to do the follwing steps.
adduser postfix sasl
To add the postfix user to the sasl authentication through the saslauthd deamon,
this because:

Access to the /etc/shadow system password file requires root privileges. The Postfix SMTP server (and in consequence libsasl linked to the server) runs with the least privilege possible. Direct access to /etc/shadow would not be possible without breaking the Postfix security architecture.
The saslauthd socket builds a safe bridge. Postfix, running as limited user postfix, can access the UNIX-domain socket that saslauthd receives commands on; saslauthd, running as privileged user root, has the privileges required to access the shadow file

Then we need to configure the deamon saslauthd.
cp /etc/default/saslauthd /etc/default/saslauthd-postfix
We create the copy for the config of the deamon.

Then we need to edit it:

START=yes
DESC="SASL Authentication Daemon for postfix"
NAME="saslauthd-post" #max 15 chars!
MECHANISMS="shadow" #we want to use linux passwords!
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"        # postfix/smtp in chroot()

Then we issue
dpkg-statoverride —add root sasl 710 /var/spool/postfix/var/run/saslauthd
To let sasl having access where postfix will run.

In this way we have the saslauthd with two config, one that won't start
while the other, for postfix, will start.

Configuration : master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
# options defined in main.cf instead of here
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
tlsrelay  unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
        -o smtp_tls_security_level=secure
        -o smtp_tls_mandatory_protocols=TLSv1
        -o smtp_tls_mandatory_ciphers=high
        -o smtp_tls_secure_cert_match=nexthop
        -o smtp_tls_CAfile=/etc/ssl/domain.org/intermediate.crt
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

Finish and testing

So now we issue
/etc/init.d/saslauthd restart && /etc/init.d/postfix restart
And from a mail client pointing to out mx.domain.org as smtp server, using
smtp authentication and SSL/TLS we send mails.

Issuing ps aux | grep sasl we should see something like:
saslauthd -a shadow
and
/usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -n 5

Further testing are also in http://www.postfix.org/SASL_README.html#testing_saslauthd
Where one can issue:
testsaslauthd -u mailout -p password -f /var/spool/postfix/var/run/saslauthd/mux

And then testing the login as exposed.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License