Wednesday 9 November 2011

How to install and configure Postfix on CentOS 5



This is step by step tutorial on how to install Postfix with MySQL support for Virtual domains.

Reference Links:

http://www.howtoforge.com/virtual-us...ysql-centos4.5

Steps

Installation

After a fresh CentOS 5.4 server install using the text mode install, setup the correct time using the ntpd daemon, disable firewall and SELinux, and make sure the hostname and IP address (static) are correct before proceeding.




The default CentOS base repo has a postfix without MySQL support. You need to use the centosplus repo to install postfix with mysql support:
vi /etc/yum.repos.d/CentOS-Base.repo
Add the following to the [base] and [updates] section
exclude=postfix
Add the following to the [centosplus] section
includepkgs=postfix

yum install --enablerepo=centosplus postfix
yum install  mysql-server php-mysql php php-mbstring php-imap expect
Change the location of mysql data dir from /var/lib/mysql if necessary and update the /etc/my.cnf accordingly as follows:
datadir=/opt/<new_mysql_data_dir> #make sure that this directory exists before starting mysqld

bind-address=127.0.0.1  #This to have mysql listen on the loopback address only
chkconfig mysqld on
service mysqld start
mysqladmin -u root password youmysqlpassword

Configuration

cd /var/www/html
 wget http://downloads.sourceforge.net/pro...min_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
chown -R root:root postfixadmin-2.3/
ln -s postfixadmin-2.3 pfadmin
chkconfig httpd on
service httpd start

MySQL DB Structure

mysql -u root -p
CREATE DATABASE postfixdb;
grant all privileges on postfixdb.* to postfixuser@localhost identified by 'yourdbpassword';
exit;
cd /var/www/html/pfadmin
cp config.inc.php config.inc.php_ORIG
vi config.inc.php and change the line from $CONF['configured'] = false;
to
$CONF['configured'] = true;
add the url to:
$CONF['postfix_admin_url'] = ' ';
Also, vi config.inc.php and add the correct database name, user, password.
set $CONF['domain_path'] = 'YES'; //This allows creating the domain name directory
set $CONF['domain_in_mailbox'] = 'NO'; //This allows creating the user maildirs without the @domainame.
Now go to http://your_ip_address/pfadmin/setup.php. This will run the check and create the database tables.
Follow the instructions on creating the setup password and generate a hash password. Enter this hash password in config.inc.php for the variable: $CONF['setup_password'] =' '
Create superadmin account.

Creating a user to own the mailboxes directory:

groupadd vmail -g 1001
useradd -c "Postfix Virtual Mailbox"  -u 1001 -g 1001 -d /vmail  -s /sbin/nologin   vmail
/etc/postfix/main.cf settngs
cp main.cf main.cf_ORIG
vi /etc/postfix/main.cf and comment the following line.
#inet_interfaces = localhost
Now, add the following to the end of /etc/postfix/main.cf:
inet_interfaces = all
myhostname = mail.yourdomain.com
smtpd_banner = $myhostname ESMTP $mail_name (CentOS 5)
biff = no
append_dot_mydomain = no
myorigin = example.com
mynetworks = 127.0.0.0/8
recipient_delimiter = +
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
virtual_alias_domains = mysql:$config_directory/mysql_virtual_alias_domains.cf
virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_mailbox_base = /vmail
virtual_minimum_uid = 1001
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach has exceeded their quota."
virtual_overquota_bounce = yes
transport_maps = proxy:mysql:/etc/postfix/mysql_virtual_transports.cf
smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rhsbl_sender dsn.fc-ignorant.org, permit
#check_policy_service inet:127.0.0.1:60000, permit
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

 Creating the mysql config files for Postfix

vi /etc/postfix/mysql_virtual_alias_maps.cf
user = postfixuser
password = yourdbpassword
hosts = localhost
dbname = postfixdb
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
#query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

vi /etc/postfix/mysql_virtual_domains_maps.cf
user = postfixuser
password = yourdbpassword
hosts = localhost
dbname = postfixdb
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'
vi /etc/postfix/mysql_virtual_mailbox_maps.cf
user = postfixuser
password = yourdbpassword
hosts = localhost
dbname = postfixdb
table = mailbox
select_field = maildir
where_field = username
additional_conditions = and active = '1'
#query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'
vi /etc/postfix/mysql_virtual_transports.cf
user = postfixuser
password = yourdbpassword
hosts = localhost
dbname = postfixdb
table = domain
select_field = transport
where_field = domain
additional_conditions = and active = '1'
#query = SELECT transport FROM domain WHERE domain='%s' AND active = '1'
vi /etc/postfix/mysql_virtual_alias_domains.cf #this is for alias domains to work properly
user = postfixuser
password = mitricspostfixuser
hosts = localhost
dbname = postfixdb
table = alias_domain
select_field = target_domain
where_field = alias_domain
additional_conditions = and active = '1'
#query = SELECT target_domain FROM alias_domain WHERE alias_domain='%s' AND active = '1'
Optional Step: This is not required if you are not using this to relay mail for other domains.
vi /etc/postfix/mysql_relay_domains_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '1' 
#query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1'
Optional Step: This is not required if we are not setting any limits and quotas
vi /etc/postfix/mysql_virtual_mailbox_limit_maps.cf and add the following:
user = postfixuser
password = yourdbpassword
hosts = localhost
dbname = postfixdb
select_field = quota
where_field = mailbox
#query = SELECT quota FROM mailbox WHERE username='%s'

Stop sendmail and Start postfix

chkconfig sendmail off
service sendmail stop
chkconfig postfix on
service postfix start

Dovecot Configuration

cp /etc/dovecot.conf /etc/dovecot.conf_ORIG
vi /etc/dovecot.conf and uncomment/comment/change the following lines to match below
base_dir = /var/run/dovecot/
protocols = imap imaps
log_timestamp = "%b %d %H:%M:%S "
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
verbose_ssl = no
mail_location = maildir:/vmail/%d/%u
namespace private {
  separator = .
  prefix = INBOX.
  inbox = yes
}
mail_privileged_group = vmail
first_valid_uid = 1001
maildir_copy_with_hardlinks = yes #uncomment and change

protocol imap {
  # Login executable location.
  login_executable = /usr/libexec/dovecot/imap-login
  mail_executable = /usr/libexec/dovecot/imap
  imap_max_line_length = 65536
........
}

#protocol pop3 {  #comment this one
...... 
#}    #comment this one

auth_verbose = no
auth_debug = no
auth_debug_passwords = no
#passdb pam {  # comment this one
.....
#}
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
 #userdb passwd {
.....
#}
 userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
 user = nobody
socket listen {
 master {
path = /var/run/dovecot/auth-master
 mode = 0600
user = postfix
group = postfix
}
client {
path =  /var/spool/postfix/private/auth
mode = 0660
user = postfix #add this new line
group = postfix  #add this new line
  }
}
mkdir /etc/dovecot
vi /etc/dovecot/dovecot-sql.conf
driver = mysql
connect = host=localhost dbname=postfixdb user=postfixuser password=yourdbpassword
# The new name for MD5 is MD5-CRYPT so you might need to change this depending on version
default_pass_scheme = MD5
# Get the mailbox
user_query = SELECT '/vmail/%d/%n' AS home, 'maildir:/vmail/%d/%n' AS mail, 1001 AS uid, 1001 AS gid, CONCAT('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
# Get the password
password_query = SELECT username AS user, password, '/vmail/%d/%n/Maildir' AS userdb_home, 'maildir:/vmail/%d/%n' AS userdb_mail, 1001 AS userdb_uid, 1001 AS userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'
# If using client certificates for authentication, comment the above and uncomment the following
#password_query = SELECT null AS password, '%u' AS user

chkconfig dovecot on

service dovecot start

Whitelisting in Postfix

Refer: http://www.howtoforge.com/how-to-whi...ses-in-postfix

Squirrelmail Configuration

Install squirrelmail and run the config/conf.pl script from Squirrelmail directory. Make sure you select option 3 for "Folder Defaults" and change the Trash, Sent and Drafts folder to be INBOX.Trash, INBOX.Sent and INBOX.Drafts respectively. This should fix all the multiple Sent item folder issues when using Thunderbird and Squirrelmail web interface. This should work like qmail with Courier IMAP. Reference link: http://wiki.dovecot.org/Namespaces

Testing Postfix

Now go to postfixadmin web interface, login as master user and create a domain. Then create a mailbox for a user. Make sure you select the checkbox to send a welcome email. This welcome email will create the virtual mailbox for this user under the domain directory.

Using Postfixadmin

Setting up alias domains

In order to create a new alias domain example.net to point to the existing main domain example.com:
  • Login to postfixadmin
  • Create an alias domain example.net pointing to example.com
  • From the Domain list select this newly added domain alias example.net and click Add alias and add the following
Alias: @example.net

To: @example.com

Troubleshooting

If the user mailbox directories doesn't get created, then check /var/log/maillog and if you find this:
Feb  1 23:34:14 mail1 postfix/smtpd[16273]: warning: SASL: Connect to private/auth failed: No such file or directory
Feb  1 23:34:14 mail1 postfix/smtpd[16273]: fatal: no SASL authentication mechanisms
Feb  1 23:34:15 mail1 postfix/master[16206]: warning: process /usr/libexec/postfix/smtpd pid 16273 exit status 1
Feb  1 23:34:15 mail1 postfix/master[16206]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
The solution is to: check /etc/dovecot.conf and the section "socket listen client" section, the path is correct setup.
If you have trouble sending email via IMAP client like Thunderbird, and you get an error like "Relaying Denied", make sure that
smtpd_recipient_restrictions=permit_sasl_authenticated

Setup DKIM on Postfix with dkim-milter

Reference: http://www.topdog.za.net/postfix_dkim_milter

Introduction

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.
We will be using the milter implementation of dkim http://dkim-milter.sf.net on centos 5.3.
This howto has been updated to allow for the following.
  • Multiple domains using different keys
  • Same domain using different selectors
  • Selective signing of email
Older versions are provided below for reference.

Installaton:

# wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_...
# rpm --import andrew_topdog-software.com_key.txt
# http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.2-2.$(uname -i).rpm

Generate the keys

# dkim-genkey -d <domain_name> -s <selector> -t
Replace <domain_name> with the domain name you will be signing the mail for, and <selector> with a selector name it can be anything (but just one word). The command will create two files.
  • <selector>.txt - contains the public key you publish via DNS
  • <selector>.private - the private key you use for signing your email
Create a sub directory in /etc/mail/dkim/keys to store your key, i prefer to use the domain name <domain_name> as the sub directory name.
# mv <selector>.private /etc/mail/dkim/keys/<domain_name.com>/<selector>.pem
# chmod 600 /etc/mail/dkim/keys/<domain_name.com>/<selector>.pem
# chown dkim-milt.dkim-milt /etc/mail/dkim/keys/<domain_name.com>/<selector>.pem
  • Add the following to /etc/mail/dkim/keylist (Check if the file name should NOT have .pem extension
*@domain_name.com:domain_name.com:/etc/mail/dkim/keys/domain_name.com/<selector>

DNS entry

In the go daddy interface add a TXT entry for the public key. See the DNS entry for pbxforbiz.com domain for an example. Create an new TXT entry with Name: <selector>._domainkey, and value:g=*; k=rsa; t=y; p=MIGfMA0G......Please note that for godaddy DNS control panel,  omit the v=DKIM1; part of the public key from the generated public key text file. For afraid.org, enter including v=DKIM1.


Configuration

  • Edit the file /etc/mail/dkim/keylist and add your domain using the following format
*@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>
#sign only for andrew
andrew@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>
  • Add your servers IP addresses to /etc/mail/dkim/trusted-hosts
  • More advanced configuration options can be set in the file /etc/dkim-filter.conf (Refer to the file and the man pages for details)

Configure postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.
smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
Append the dkim-milter options to the existing milters if you have other milters already configured.
Start dkim-milter and restart postfix
# service dkim-milter start
# service postfix restart
# chkconfig dkim-milter on

Testing

Send an email to gmail and yahoo accounts and look at the header to make sure that it gives signed by and pass for dkim.

Adding a SPF entry in DNS

In order to get a SPF pass when sending to yahoo and gmail, add a new SPF entry in the godaddy DNS control panel.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)